Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 1 | # healthd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
| 3 | type healthd, domain; |
Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 4 | type healthd_exec, exec_type, file_type; |
| 5 | |
| 6 | init_daemon_domain(healthd) |
Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 7 | allow healthd rootfs:file { read entrypoint }; |
Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 8 | write_klog(healthd) |
Stephen Smalley | 190c704 | 2014-01-22 13:23:02 -0500 | [diff] [blame^] | 9 | # /dev/__null__ created by init prior to policy load, |
| 10 | # open fd inherited by healthd. |
| 11 | allow healthd tmpfs:chr_file { read write }; |
Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 12 | |
Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 13 | allow healthd self:capability { net_admin mknod }; |
| 14 | allow healthd self:capability2 block_suspend; |
| 15 | allow healthd self:netlink_kobject_uevent_socket create_socket_perms; |
| 16 | binder_use(healthd) |
Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 17 | binder_service(healthd) |
Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 18 | binder_call(healthd, system_server) |
Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 19 | |
Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame] | 20 | # Workaround for 0x10 / block_suspend capability2 denials. |
| 21 | # Requires a kernel patch to fix properly. |
| 22 | permissive healthd; |