sepolicy/fake-nvram.te - device/generic/brillo - Git at Google

 # Declare a domain for fake-nvram.
 type fake-nvram, domain;
 type fake-nvram_exec, exec_type, file_type;
 type fake-nvram_data_file, file_type, data_file_type;
 type fake-nvram_socket, file_type;

 brillo_domain(fake-nvram)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(fake-nvram)

 # Allow Minijail to drop privilege.
 allow fake-nvram self:capability { setuid setgid };

 # Allow persistent data.
 allow fake-nvram fake-nvram_data_file:dir rw_dir_perms;
 allow fake-nvram fake-nvram_data_file:file create_file_perms;
	# Declare a domain for fake-nvram.
	type fake-nvram, domain;
	type fake-nvram_exec, exec_type, file_type;
	type fake-nvram_data_file, file_type, data_file_type;
	type fake-nvram_socket, file_type;

	brillo_domain(fake-nvram)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(fake-nvram)

	# Allow Minijail to drop privilege.
	allow fake-nvram self:capability { setuid setgid };

	# Allow persistent data.
	allow fake-nvram fake-nvram_data_file:dir rw_dir_perms;
	allow fake-nvram fake-nvram_data_file:file create_file_perms;