| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 1 | # healthd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
| 3 | type healthd, domain; |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 4 | type healthd_exec, exec_type, file_type; |
| 5 | |
| 6 | init_daemon_domain(healthd) |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 7 | allow healthd rootfs:file { read entrypoint }; |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 8 | write_klog(healthd) |
| 9 | |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 10 | allow healthd self:capability { net_admin mknod }; |
| 11 | allow healthd self:capability2 block_suspend; |
| 12 | allow healthd self:netlink_kobject_uevent_socket create_socket_perms; |
| 13 | binder_use(healthd) |
| Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame^] | 14 | binder_service(healthd) |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 15 | binder_call(healthd, system_server) |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 16 | |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 17 | # Workaround for 0x10 / block_suspend capability2 denials. |
| 18 | # Requires a kernel patch to fix properly. |
| 19 | permissive healthd; |