| # Declare a domain for fake-nvram. |
| type fake-nvram, domain; |
| type fake-nvram_exec, exec_type, file_type; |
| type fake-nvram_data_file, file_type, data_file_type; |
| type fake-nvram_socket, file_type; |
| |
| brillo_domain(fake-nvram) |
| |
| # Allow crash_reporter access to core dump files. |
| allow_crash_reporter(fake-nvram) |
| |
| # Allow Minijail to drop privilege. |
| allow fake-nvram self:capability { setuid setgid }; |
| |
| # Allow persistent data. |
| allow fake-nvram fake-nvram_data_file:dir rw_dir_perms; |
| allow fake-nvram fake-nvram_data_file:file create_file_perms; |