shared/sepolicy/vendor/recovery.te - device/google/cuttlefish - Gitiles

 # Allow minui access to /dev/dri/card0
 allow recovery gpu_device:dir search;
 allow recovery graphics_device:chr_file rw_file_perms;

 # Allow sideload from file pushed to fake /sdcard
 allow recovery appdomain_tmpfs:file r_file_perms;

 # Seen during 'Wipe data/factory reset'
 allow recovery cache_block_device:blk_file rw_file_perms;
 allow recovery devpts:chr_file rw_file_perms;
 allow recovery kmsg_device:chr_file { getattr w_file_perms };
 # Note: fsetid checks are triggered when creating a file in a directory with
 # the setgid bit set to determine if the file should inherit setgid. In this
 # case, setgid on the file is undesirable so we should just suppress the
 # denial.
 dontaudit recovery self:global_capability_class_set fsetid;
	# Allow minui access to /dev/dri/card0
	allow recovery gpu_device:dir search;
	allow recovery graphics_device:chr_file rw_file_perms;

	# Allow sideload from file pushed to fake /sdcard
	allow recovery appdomain_tmpfs:file r_file_perms;

	# Seen during 'Wipe data/factory reset'
	allow recovery cache_block_device:blk_file rw_file_perms;
	allow recovery devpts:chr_file rw_file_perms;
	allow recovery kmsg_device:chr_file { getattr w_file_perms };
	# Note: fsetid checks are triggered when creating a file in a directory with
	# the setgid bit set to determine if the file should inherit setgid. In this
	# case, setgid on the file is undesirable so we should just suppress the
	# denial.
	dontaudit recovery self:global_capability_class_set fsetid;