sepolicy/webservd.te - device/generic/brillo - Git at Google

 # Domain for webservd daemon.
 type webservd, domain;
 type webservd_exec, exec_type, file_type;
 type webservd_data_file, file_type, data_file_type;

 brillo_domain(webservd)
 net_domain(webservd)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(webservd)

 # Allow opening firewall ports to serve on.
 allow_call_firewalld(webservd)

 # Allow to pass file descriptors from webserver over D-Bus.
 allow dbus_daemon webservd:fd use;
 allow dbus_daemon webservd_data_file:file r_file_perms;
 allow dbus_daemon webservd:fifo_file rw_file_perms;

 allow webservd self:capability { net_bind_service };
 allow webservd webservd_data_file:dir rw_dir_perms;
 allow webservd webservd_data_file:file create_file_perms;
 allow webservd webservd_service:service_manager { add find };
	# Domain for webservd daemon.
	type webservd, domain;
	type webservd_exec, exec_type, file_type;
	type webservd_data_file, file_type, data_file_type;

	brillo_domain(webservd)
	net_domain(webservd)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(webservd)

	# Allow opening firewall ports to serve on.
	allow_call_firewalld(webservd)

	# Allow to pass file descriptors from webserver over D-Bus.
	allow dbus_daemon webservd:fd use;
	allow dbus_daemon webservd_data_file:file r_file_perms;
	allow dbus_daemon webservd:fifo_file rw_file_perms;

	allow webservd self:capability { net_bind_service };
	allow webservd webservd_data_file:dir rw_dir_perms;
	allow webservd webservd_data_file:file create_file_perms;
	allow webservd webservd_service:service_manager { add find };