sepolicy/wifi_setup.te - device/generic/brillo - Git at Google

 # wifi_setup.
 type wifi_setup, domain;
 type wifi_setup_exec, exec_type, file_type;
 type wifi_setup_prop, property_type;
 type wifi_device, dev_type;
 type wifi_sysfs_entry, fs_type, sysfs_type;

 brillo_domain(wifi_setup)

 # Inherit open file to shell (interpreter) for script.
 allow wifi_setup shell_exec:file rx_file_perms;
 allow wifi_setup system_file:file execute_no_trans;
 allow wifi_setup toolbox_exec:file { rx_file_perms };

 # Set properties for init.
 set_prop(wifi_setup, wifi_setup_prop);

 # Permissions for WiFi driver initialization.
 allow wifi_setup self:capability { net_admin net_raw };
 allow wifi_setup self:udp_socket create_socket_perms;
 allow wifi_setup sysfs:file w_file_perms;
 allow wifi_setup wifi_device:chr_file rw_file_perms;
 allow wifi_setup wifi_sysfs_entry:file rw_file_perms;

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(wifi_setup)

 allow wifi_setup proc:file read;
 allow wifi_setup selinuxfs:filesystem getattr;
 allow wifi_setup sysfs:lnk_file read;

 dontaudit wifi_setup wifi_device:chr_file { getattr ioctl };
	# wifi_setup.
	type wifi_setup, domain;
	type wifi_setup_exec, exec_type, file_type;
	type wifi_setup_prop, property_type;
	type wifi_device, dev_type;
	type wifi_sysfs_entry, fs_type, sysfs_type;

	brillo_domain(wifi_setup)

	# Inherit open file to shell (interpreter) for script.
	allow wifi_setup shell_exec:file rx_file_perms;
	allow wifi_setup system_file:file execute_no_trans;
	allow wifi_setup toolbox_exec:file { rx_file_perms };

	# Set properties for init.
	set_prop(wifi_setup, wifi_setup_prop);

	# Permissions for WiFi driver initialization.
	allow wifi_setup self:capability { net_admin net_raw };
	allow wifi_setup self:udp_socket create_socket_perms;
	allow wifi_setup sysfs:file w_file_perms;
	allow wifi_setup wifi_device:chr_file rw_file_perms;
	allow wifi_setup wifi_sysfs_entry:file rw_file_perms;

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(wifi_setup)

	allow wifi_setup proc:file read;
	allow wifi_setup selinuxfs:filesystem getattr;
	allow wifi_setup sysfs:lnk_file read;

	dontaudit wifi_setup wifi_device:chr_file { getattr ioctl };