Move sensors into enforcing.

Address the following denials:
<12>[   14.670682] type=1400 audit(88737.000:11): avc: denied { dac_override } for pid=340 comm="sensors.qcom" capability=1 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability permissive=1

<12>[   14.681372] type=1400 audit(88737.000:15): avc: denied { sys_nice } for pid=340 comm="sensors.qcom" capability=23 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability permissive=1
<12>[   14.683458] type=1400 audit(88737.000:16): avc: denied { create } for pid=340 comm="sensors.qcom" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket permissive=1
<12>[   14.683535] type=1400 audit(88737.000:17): avc: denied { ioctl } for pid=340 comm="sensors.qcom" path="socket:[10571]" dev="sockfs" ino=10571 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket permissive=1
<12>[   14.683596] type=1400 audit(88737.000:18): avc: denied { bind } for pid=340 comm="sensors.qcom" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket permissive=1
<12>[   14.683837] type=1400 audit(88737.000:20): avc: denied { search } for pid=418 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=12 scontext=u:r:sensors:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
<12>[   14.685871] type=1400 audit(88737.000:21): avc: denied { getattr } for pid=418 comm="sensors.qcom" path="/persist/sensors/sns.reg" dev="mmcblk0p20" ino=35 scontext=u:r:sensors:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
<12>[   14.686089] type=1400 audit(88737.000:24): avc: denied { read write } for pid=418 comm="sensors.qcom" name="sns.reg" dev="mmcblk0p20" ino=35 scontext=u:r:sensors:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
<12>[   14.686150] type=1400 audit(88737.000:25): avc: denied { open } for pid=418 comm="sensors.qcom" path="/persist/sensors/sns.reg" dev="mmcblk0p20" ino=35 scontext=u:r:sensors:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
<12>[   16.226654] type=1400 audit(88738.559:32): avc: denied { setattr } for pid=340 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=12 scontext=u:r:sensors:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
<12>[   16.245355] type=1400 audit(88738.559:33): avc: denied { chown } for pid=340 comm="sensors.qcom" capability=0 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability permissive=1
<12>[   18.459553] type=1400 audit(88740.789:37): avc: denied { setgid } for pid=340 comm="sensors.qcom" capability=6 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability permissive=1
<12>[   18.476258] type=1400 audit(88740.789:38): avc: denied { setuid } for pid=340 comm="sensors.qcom" capability=7 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability permissive=1

Bug: 16319212

Change-Id: I6f43f0053fb47d3dd401e2d8bb6cf64aa9c58405

1 files changed, 2 insertions, 2 deletions

diff --git a/init.shamu.rc b/init.shamu.rc
index 468212ec..eb536ad1 100644
--- a/init.shamu.rc
+++ b/init.shamu.rc
@@ -45,7 +45,6 @@ on init
 
 on fs
     mount_all fstab.shamu
-    restorecon_recursive /persist
     setprop ro.crypto.fuse_sdcard true
 
     # Keeping following partitions outside fstab file. As user may not have
@@ -53,7 +52,8 @@ on fs
     # results in failure to launch late-start class.
 
     wait /dev/block/platform/msm_sdcc.1/by-name/persist
-    mount ext4 /dev/block/platform/msm_sdcc.1/by-name/persist /persist nosuid nodev barrier=1 defcontext=u:object_r:persist_file:s0
+    mount ext4 /dev/block/platform/msm_sdcc.1/by-name/persist /persist nosuid nodev barrier=1
+    restorecon_recursive /persist
 
     mkdir /fsg 0755 root root
     mount ext4 /dev/block/platform/msm_sdcc.1/by-name/mdm1m9kefs3 /fsg ro nosuid nodev barrier=0