From 662dc87e323a816c0a1b2b64b98f3f3cf2c691fe Mon Sep 17 00:00:00 2001
From: Donnie Pollitz <donpollitz@google.com>
Date: Mon, 27 Nov 2023 11:55:00 +0100
Subject: [PATCH] trusty: Fix selinux denials for block devices

Bug: 312894027
Test: Confirmed avc denial is gone on boot
Change-Id: Iaa87cdef24214a2b6f6eba2af917c03bbbb4bfb5
Signed-off-by: Donnie Pollitz <donpollitz@google.com>
---
 legacy/zuma/vendor/tee.te | 1 -
 tracking_denials/tee.te   | 2 --
 vendor/device.te          | 2 ++
 vendor/tee.te             | 4 ++--
 4 files changed, 4 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/tee.te

diff --git a/legacy/zuma/vendor/tee.te b/legacy/zuma/vendor/tee.te
index c99a02d..8551b24 100644
--- a/legacy/zuma/vendor/tee.te
+++ b/legacy/zuma/vendor/tee.te
@@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
-allow tee tee_persist_block_device:blk_file rw_file_perms;
 allow tee block_device:dir search;
 
 # Allow storageproxyd access to gsi_public_metadata_file
diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
deleted file mode 100644
index 267a291..0000000
--- a/tracking_denials/tee.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/312894027
-dontaudit tee tee_userdata_block_device:blk_file { read write };
diff --git a/vendor/device.te b/vendor/device.te
index cef6cd1..b5f1575 100644
--- a/vendor/device.te
+++ b/vendor/device.te
@@ -1 +1,3 @@
 type lwis_device, dev_type;
+type tee_persist_block_device, dev_type;
+type tee_userdata_block_device, dev_type;
diff --git a/vendor/tee.te b/vendor/tee.te
index 9fd01ec..ba5ee08 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -1,2 +1,2 @@
-type tee_persist_block_device, dev_type;
-type tee_userdata_block_device, dev_type;
+allow tee tee_persist_block_device:blk_file rw_file_perms;
+allow tee tee_userdata_block_device:blk_file rw_file_perms;