sepolicy/tlsdated.te - device/generic/brillo - Git at Google

 # tlsdated.
 type tlsdated, domain;
 type tlsdated_exec, exec_type, file_type;
 type tlsdated_data_file, file_type, data_file_type;

 brillo_domain(tlsdated)
 net_domain(tlsdated)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(tlsdated)

 allow tlsdated self:capability { sys_time setuid setgid };
 allow tlsdated tlsdated_exec:file rx_file_perms;
 allow tlsdated tlsdated_data_file:dir w_dir_perms;
 allow tlsdated tlsdated_data_file:file create_file_perms;

 allow tlsdated system_file:dir getattr;
	# tlsdated.
	type tlsdated, domain;
	type tlsdated_exec, exec_type, file_type;
	type tlsdated_data_file, file_type, data_file_type;

	brillo_domain(tlsdated)
	net_domain(tlsdated)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(tlsdated)

	allow tlsdated self:capability { sys_time setuid setgid };
	allow tlsdated tlsdated_exec:file rx_file_perms;
	allow tlsdated tlsdated_data_file:dir w_dir_perms;
	allow tlsdated tlsdated_data_file:file create_file_perms;

	allow tlsdated system_file:dir getattr;