recovery: allow changing unlabeled symbolic links

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c

1 files changed, 1 insertions, 1 deletions

diff --git a/recovery.te b/recovery.te
index 75a024c..204c096 100644
--- a/recovery.te
+++ b/recovery.te
@@ -29,7 +29,7 @@ recovery_only(`
 
   # We may be asked to set an SELinux label for a type not known to the
   # currently loaded policy. Allow it.
-  allow recovery unlabeled:file { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
 
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux