sepolicy/userfastboot.te - device/intel/minnowboard - Git at Google

 # Rules for bootable/userfastboot which pretty much does
 # everything the neverallow's catch in external/sepolicy
 userfastboot_only(`

   # Keep the type from infiltrating non-userfastboot
   # builds.
   type userfastboot, domain;
   permissive userfastboot;

   # For silence
   dontaudit userfastboot self:capability_class_set *;
   dontaudit userfastboot kernel:security *;
   dontaudit userfastboot kernel:system *;
   dontaudit userfastboot self:memprotect *;
   dontaudit userfastboot domain:process *;
   dontaudit userfastboot domain:fd *;
   dontaudit userfastboot domain:dir r_dir_perms;
   dontaudit userfastboot domain:lnk_file r_file_perms;
   dontaudit userfastboot domain:{ fifo_file file } rw_file_perms;
   dontaudit userfastboot domain:socket_class_set *;
   dontaudit userfastboot domain:ipc_class_set *;
   dontaudit userfastboot domain:key *;
   dontaudit userfastboot fs_type:filesystem *;
   dontaudit userfastboot fs_type:dir_file_class_set *;
   dontaudit userfastboot dev_type:dir_file_class_set *;
   dontaudit userfastboot file_type:dir_file_class_set *;
   dontaudit userfastboot node_type:node *;
   dontaudit userfastboot node_type:{ tcp_socket udp_socket } node_bind;
   dontaudit userfastboot netif_type:netif *;
   dontaudit userfastboot port_type:socket_class_set name_bind;
   dontaudit userfastboot port_type:{ tcp_socket dccp_socket } name_connect;
   dontaudit userfastboot domain:peer recv;
   dontaudit userfastboot domain:binder *;
   dontaudit userfastboot property_type:property_service set;
 ')
	# Rules for bootable/userfastboot which pretty much does
	# everything the neverallow's catch in external/sepolicy
	userfastboot_only(`

	# Keep the type from infiltrating non-userfastboot
	# builds.
	type userfastboot, domain;
	permissive userfastboot;

	# For silence
	dontaudit userfastboot self:capability_class_set *;
	dontaudit userfastboot kernel:security *;
	dontaudit userfastboot kernel:system *;
	dontaudit userfastboot self:memprotect *;
	dontaudit userfastboot domain:process *;
	dontaudit userfastboot domain:fd *;
	dontaudit userfastboot domain:dir r_dir_perms;
	dontaudit userfastboot domain:lnk_file r_file_perms;
	dontaudit userfastboot domain:{ fifo_file file } rw_file_perms;
	dontaudit userfastboot domain:socket_class_set *;
	dontaudit userfastboot domain:ipc_class_set *;
	dontaudit userfastboot domain:key *;
	dontaudit userfastboot fs_type:filesystem *;
	dontaudit userfastboot fs_type:dir_file_class_set *;
	dontaudit userfastboot dev_type:dir_file_class_set *;
	dontaudit userfastboot file_type:dir_file_class_set *;
	dontaudit userfastboot node_type:node *;
	dontaudit userfastboot node_type:{ tcp_socket udp_socket } node_bind;
	dontaudit userfastboot netif_type:netif *;
	dontaudit userfastboot port_type:socket_class_set name_bind;
	dontaudit userfastboot port_type:{ tcp_socket dccp_socket } name_connect;
	dontaudit userfastboot domain:peer recv;
	dontaudit userfastboot domain:binder *;
	dontaudit userfastboot property_type:property_service set;
	')