apex_sepolicy_tests: check apex roots are search-able

Narrow down the check for apex roots. It was 'read', but 'search' should
be enough.

Bug: 310528686
Test: m
Change-Id: Ibe5f2e948464580832d87e8d8364c33a437efed2
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
 Matcher = Is | Glob | Regex
 
 @dataclass
-class AllowRead:
-    """Rule checking if scontext can read the entity"""
+class AllowPerm:
+    """Rule checking if scontext has 'perm' to the entity"""
     tclass: str
     scontext: set[str]
+    perm: str
 
 
 @dataclass
@@ -71,7 +72,12 @@
     pass
 
 
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+    return AllowPerm(tclass, scontext, 'read')
 
 
 def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
     """Returns error message if scontext can't read the target"""
     errors = []
     match rule:
-        case AllowRead(tclass, scontext):
+        case AllowPerm(tclass, scontext, perm):
             # Test every source in scontext(set)
             for s in scontext:
                 te_rules = list(pol.QueryTERule(scontext={s},
                                                 tcontext={tcontext},
                                                 tclass={tclass},
-                                                perms={'read'}))
+                                                perms={perm}))
                 if len(te_rules) > 0:
                     continue  # no errors
 
-                errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+                errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
         case ResolveType():
             if tcontext not in pol.GetAllTypes(False):
                 errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
     (Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
     # ./ and apex_manifest.pb
     (Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
-    (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+    (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
     # linker.config.pb
     (Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
 ]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
         self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
                         r'Error: .*linkerconfig.* can\'t read')
         self.assert_error('./ u:object_r:apex_data_file:s0',
-                        r'Error: .*linkerconfig.* can\'t read')
+                        r'Error: .*linkerconfig.* can\'t search')
 
     def test_unknown_label(self):
         self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',