Adding allow init system_file:dir relabelfrom; is not possible as it violates a neverallow rule in system/sepolicy/public/domain.te:
# Nobody should be doing writes to /system & /vendor
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
neverallow {
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
Should we care about this? Maybe add an ignore rule to init.te.
Seemingly some (pre-treble) devices try to do something to the /system partition causing this denial:
avc: denied { relabelfrom } for comm="init" name="modules" dev="sda66" ino=1179683 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 ppid=0 pcomm="swapper/0"
Adding
allow init system_file:dir relabelfrom;
is not possible as it violates a neverallow rule in system/sepolicy/public/domain.te:Should we care about this? Maybe add an ignore rule to init.te.