| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 1 | # healthd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
| 3 | type healthd, domain; |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 4 | type healthd_exec, exec_type, file_type; |
| 5 | |
| 6 | init_daemon_domain(healthd) |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame^] | 7 | allow healthd rootfs:file { read entrypoint }; |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 8 | write_klog(healthd) |
| 9 | |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame^] | 10 | allow healthd self:capability { net_admin mknod }; |
| 11 | allow healthd self:capability2 block_suspend; |
| 12 | allow healthd self:netlink_kobject_uevent_socket create_socket_perms; |
| 13 | binder_use(healthd) |
| 14 | binder_call(healthd, system_server) |
| Todd Poynor | b2b87d9 | 2013-06-03 14:09:54 -0700 | [diff] [blame] | 15 | |
| Stephen Smalley | 2a604ad | 2013-11-04 09:53:46 -0500 | [diff] [blame^] | 16 | # Workaround for 0x10 / block_suspend capability2 denials. |
| 17 | # Requires a kernel patch to fix properly. |
| 18 | permissive healthd; |