SE Android policy.
diff --git a/system.te b/system.te
new file mode 100644
index 0000000..eff7386
--- /dev/null
+++ b/system.te
@@ -0,0 +1,134 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings. These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+app_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+binder_transfer(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system, domain, mlstrustedsubject;
+
+# Child of the zygote.
+allow system zygote:fd use;
+allow system zygote:process sigchld;
+allow system zygote_tmpfs:file read;
+
+# system server gets network and bluetooth permissions.
+net_domain(system)
+bluetooth_domain(system)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+# XXX See if we can remove some of these.
+allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
+
+# Use netlink uevent sockets.
+allow system self:netlink_kobject_uevent_socket *;
+
+# Kill apps.
+allow system appdomain:process { sigkill signal };
+
+# Read /proc data for apps.
+allow system appdomain:dir r_dir_perms;
+allow system appdomain:{ file lnk_file } rw_file_perms;
+
+# Write to /proc/net/xt_qtaguid/ctrl.
+# XXX Split /proc/net into its own type.
+allow system proc:file write;
+
+# Notify init of death.
+allow system init:process sigchld;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system, property, init)
+unix_socket_connect(system, qemud, qemud)
+unix_socket_connect(system, installd, installd)
+unix_socket_connect(system, netd, netd)
+unix_socket_connect(system, vold, vold)
+unix_socket_connect(system, zygote, zygote)
+unix_socket_connect(system, keystore, keystore)
+unix_socket_connect(system, dbus, dbusd)
+unix_socket_connect(system, gps, gpsd)
+unix_socket_connect(system, bluetooth, bluetoothd)
+unix_socket_send(system, wpa, wpa)
+
+# Perform Binder IPC.
+tmpfs_domain(system)
+binder_use(system)
+binder_call(system, binderservicedomain)
+binder_call(system, appdomain)
+binder_service(system)
+# Transfer other Binder references.
+binder_transfer(system, binderservicedomain)
+binder_transfer(system, appdomain)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(system, appdomain)
+r_dir_file(system, mediaserver)
+allow system appdomain:process getattr;
+allow system mediaserver:process getattr;
+
+# Specify any arguments to zygote.
+allow system self:zygote *;
+
+# Check SELinux permissions.
+selinux_check_access(system)
+
+# XXX Label sysfs files with a specific type?
+allow system sysfs:file rw_file_perms;
+
+# Access devices.
+allow system device:chr_file rw_file_perms;
+allow system akm_device:chr_file rw_file_perms;
+allow system accelerometer_device:chr_file rw_file_perms;
+allow system alarm_device:chr_file rw_file_perms;
+allow system graphics_device:dir search;
+allow system graphics_device:chr_file rw_file_perms;
+allow system input_device:dir r_dir_perms;
+allow system input_device:chr_file rw_file_perms;
+allow system tty_device:chr_file rw_file_perms;
+allow system urandom_device:chr_file rw_file_perms;
+allow system video_device:chr_file rw_file_perms;
+allow system qemu_device:chr_file rw_file_perms;
+
+# Manage data files.
+allow system data_file_type:dir create_dir_perms;
+allow system data_file_type:notdevfile_class_set create_file_perms;
+
+# Create a socket for receiving info from wpa.
+type_transition system wifi_data_file:sock_file system_wpa_socket;
+allow system system_wpa_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system cache_file:dir create_dir_perms;
+allow system cache_file:file create_file_perms;
+
+# Run system programs, e.g. dexopt.
+allow system system_file:file x_file_perms;
+
+# Silently deny any /proc accesses that are not allowed.
+# This suppresses noise from walking the process list.
+dontaudit system domain:dir r_dir_perms;
+dontaudit system domain:file r_file_perms;