Ignore the denial when system_other is erased

This CL addresses the following denial, when the system_other
partition is erased. This happens when 1) the device gets an
OTA update and 2) factory reset to wipe userdata partition.

Note that the system_other partition will be mounted under
/postinstall only in the first boot after factory reset.
Also, system_other.img is only included in the factory ROM and
is absent in the OTA package. When it is absent and userdata
is wiped, the mount will fail and triggers the following denials
when both cppreopts.sh and preloads_copy.sh access /postinstall dir.

SELinux denials to address:
  avc: denied { search } for comm="find" name="postinstall" dev="dm-5"
  ino=44 scontext=u:r:preloads_copy:s0
  tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

  avc: denied { search } for comm="cppreopts.sh" name="postinstall" dev="dm-5"
  ino=44 scontext=u:r:cppreopts:s0
  tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

Bug: 152453231
Test: fastboot erase system_other (e.g., system_b) and fastboot -w
Change-Id: Ie67f02467d5da51b0caba6e8fda56bc2c6bbc944
(cherry picked from commit 35c2f102f29a0f9d73e526f1fa6fdb163f75b48c)

4 files changed, 16 insertions, 0 deletions

diff --git a/prebuilts/api/29.0/private/cppreopts.te b/prebuilts/api/29.0/private/cppreopts.te
index 1a8fa0bf..1192ba67 100644
--- a/prebuilts/api/29.0/private/cppreopts.te
+++ b/prebuilts/api/29.0/private/cppreopts.te
@@ -25,3 +25,7 @@ allow cppreopts system_file:dir { open read };
 # Allow running the cp command using cppreopts permissions. Needed so we can
 # write into dalvik-cache
 allow cppreopts toolbox_exec:file rx_file_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but cppreopts.sh still runs.
+dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/prebuilts/api/29.0/private/preloads_copy.te b/prebuilts/api/29.0/private/preloads_copy.te
index 7177839f..ba54b70a 100644
--- a/prebuilts/api/29.0/private/preloads_copy.te
+++ b/prebuilts/api/29.0/private/preloads_copy.te
@@ -12,3 +12,7 @@ allow preloads_copy preloads_media_file:file create_file_perms;
 
 # Allow to copy from /postinstall
 allow preloads_copy system_file:dir r_dir_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but preloads_copy.sh still runs.
+dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 1a8fa0bf..1192ba67 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -25,3 +25,7 @@ allow cppreopts system_file:dir { open read };
 # Allow running the cp command using cppreopts permissions. Needed so we can
 # write into dalvik-cache
 allow cppreopts toolbox_exec:file rx_file_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but cppreopts.sh still runs.
+dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/private/preloads_copy.te b/private/preloads_copy.te
index 7177839f..ba54b70a 100644
--- a/private/preloads_copy.te
+++ b/private/preloads_copy.te
@@ -12,3 +12,7 @@ allow preloads_copy preloads_media_file:file create_file_perms;
 
 # Allow to copy from /postinstall
 allow preloads_copy system_file:dir r_dir_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but preloads_copy.sh still runs.
+dontaudit preloads_copy postinstall_mnt_dir:dir search;