sepolicy/update_engine.te - device/generic/brillo - Git at Google

 # This file contains Brillo-specific SELinux policy for
 # update_engine. For the main update_engine policy, see
 # external/sepolicy/update_engine.te

 # Allow update_engine to use D-Bus.
 unix_socket_connect(update_engine, dbus_daemon, dbus_daemon)

 # Allow using metrics_lib.
 allow_metrics_reporting(update_engine)

 # Allow hosting of the binder service.
 allow update_engine update_engine_service:service_manager { add find };

 # Allow read/write on misc partition. This can be removed when we're no
 # longer using the boot_control_copy implementation of the boot_control
 # HAL.
 allow update_engine misc_block_device:blk_file rw_file_perms;

 # Allow reading os-release.d properties.
 r_dir_file(update_engine, os_release_file);

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(update_engine)

 # Allow update_engine to talk to weaved over binder.
 allow_call_weave(update_engine)
	# This file contains Brillo-specific SELinux policy for
	# update_engine. For the main update_engine policy, see
	# external/sepolicy/update_engine.te

	# Allow update_engine to use D-Bus.
	unix_socket_connect(update_engine, dbus_daemon, dbus_daemon)

	# Allow using metrics_lib.
	allow_metrics_reporting(update_engine)

	# Allow hosting of the binder service.
	allow update_engine update_engine_service:service_manager { add find };

	# Allow read/write on misc partition. This can be removed when we're no
	# longer using the boot_control_copy implementation of the boot_control
	# HAL.
	allow update_engine misc_block_device:blk_file rw_file_perms;

	# Allow reading os-release.d properties.
	r_dir_file(update_engine, os_release_file);

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(update_engine)

	# Allow update_engine to talk to weaved over binder.
	allow_call_weave(update_engine)