sepolicy/metricsd.te - device/generic/brillo - Git at Google

 # Shared metrics files.
 type metrics_data_file, file_type, data_file_type;

 ###############################
 # metricsd
 type metricsd, domain;
 type metricsd_exec, exec_type, file_type;
 type metricsd_data_file, file_type, data_file_type;

 brillo_domain(metricsd)
 net_domain(metricsd)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(metricsd)

 # Rules for accessing the private files.
 allow metricsd metricsd_data_file:dir rw_dir_perms;
 allow metricsd metricsd_data_file:file create_file_perms;

 # Rules for reading the shared files.
 allow metricsd metrics_data_file:dir r_dir_perms;
 allow metricsd metrics_data_file:file r_file_perms;

 # Allow adding the service.
 allow metricsd metricsd_service:service_manager { add find };

 allow metricsd system_file:dir getattr;

 # Allow reading os-release.d properties.
 r_dir_file(metricsd, os_release_file);

 # Allow calling update engine.
 allow_call_update_engine(metricsd);
	# Shared metrics files.
	type metrics_data_file, file_type, data_file_type;

	###############################
	# metricsd
	type metricsd, domain;
	type metricsd_exec, exec_type, file_type;
	type metricsd_data_file, file_type, data_file_type;

	brillo_domain(metricsd)
	net_domain(metricsd)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(metricsd)

	# Rules for accessing the private files.
	allow metricsd metricsd_data_file:dir rw_dir_perms;
	allow metricsd metricsd_data_file:file create_file_perms;

	# Rules for reading the shared files.
	allow metricsd metrics_data_file:dir r_dir_perms;
	allow metricsd metrics_data_file:file r_file_perms;

	# Allow adding the service.
	allow metricsd metricsd_service:service_manager { add find };

	allow metricsd system_file:dir getattr;

	# Allow reading os-release.d properties.
	r_dir_file(metricsd, os_release_file);

	# Allow calling update engine.
	allow_call_update_engine(metricsd);