Merge "brilloemulator_x86/x86_64: Enable KVM if available"
diff --git a/sepolicy/brillo_service.te b/sepolicy/brillo_service.te
new file mode 100644
index 0000000..5692487
--- /dev/null
+++ b/sepolicy/brillo_service.te
@@ -0,0 +1,21 @@
+# Example domain for a Brillo service.
+# You can use 'brillo_service' as your service's domain directly,
+# or use it as a base for your service's own domain.
+type brillo_service, domain;
+type brillo_service_exec, exec_type, file_type;
+
+# To use 'brillo_service' as the domain for your service,
+# label the service's executable as 'brillo_service_exec' in the 'file_contexts'
+# file in this directory.
+# brillo_domain() below ensures that executables labelled 'brillo_service_exec'
+# will be put in the 'brillo_service' domain at runtime.
+
+# Allow domain transition from init, and access to D-Bus and Binder.
+# See 'te_macros' in this directory for details.
+brillo_domain(brillo_service)
+
+# Allow network access (e.g. opening sockets).
+net_domain(brillo_service)
+
+# Allow crash_reporter access to core dump files.
+allow_crash_reporter(brillo_service)
diff --git a/sepolicy/metrics_collector.te b/sepolicy/metrics_collector.te
index 895e480..d0a1551 100644
--- a/sepolicy/metrics_collector.te
+++ b/sepolicy/metrics_collector.te
@@ -40,6 +40,9 @@
# Allow reading os-release.d properties.
r_dir_file(metrics_collector, os_release_file);
+# Reduce logging.
+dontaudit metrics_collector debugfs:dir search;
+
################################
# metrics_client
type metrics_client_exec, exec_type, file_type;
diff --git a/sepolicy/metricsd.te b/sepolicy/metricsd.te
index 93375fe..8e6de34 100644
--- a/sepolicy/metricsd.te
+++ b/sepolicy/metricsd.te
@@ -29,3 +29,7 @@
# Allow reading os-release.d properties.
r_dir_file(metricsd, os_release_file);
+
+# Reduce logging.
+dontaudit metricsd cgroup:dir search;
+dontaudit metricsd debugfs:dir search;
