target/board/generic/sepolicy/execns.te

# Network namespace transitions
type execns, domain;
type execns_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(execns)

allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
allow execns self:capability sys_admin;
allow execns nsfs:file { open read };

#Allow execns itself to be run by init in its own domain
domain_auto_trans(init, execns_exec, execns);

# Allow dhcpclient to be run by execns in its own domain
domain_auto_trans(execns, dhcpclient_exec, dhcpclient);

# Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);

# Rules to allow execution of hostapd and allow it to run
allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
allow execns self:capability { net_admin net_raw };
allow execns self:netlink_generic_socket { bind create getattr read setopt write };
allow execns self:netlink_route_socket { bind create read write nlmsg_write };
allow execns execns:udp_socket { create ioctl };
allow execns self:packet_socket { create setopt };
allow execns sysfs_net:dir { search };
allowxperm execns self:udp_socket ioctl priv_sock_ioctls;

# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
allow execns createns:dir search;
allow execns createns:lnk_file read;