sepolicy/webservd.te - device/generic/brillo - Git at Google

 # Domain for webservd daemon.
 type webservd, domain;
 type webservd_exec, exec_type, file_type;
 type webservd_data_file, file_type, data_file_type;

 brillo_domain(webservd)
 net_domain(webservd)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(webservd)

 # Allow opening firewall ports to serve on.
 allow_call_firewalld(webservd)

 allow webservd self:capability { net_bind_service };
 allow webservd webservd_data_file:dir rw_dir_perms;
 allow webservd webservd_data_file:file create_file_perms;
 allow webservd webservd_service:service_manager { add find };
	# Domain for webservd daemon.
	type webservd, domain;
	type webservd_exec, exec_type, file_type;
	type webservd_data_file, file_type, data_file_type;

	brillo_domain(webservd)
	net_domain(webservd)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(webservd)

	# Allow opening firewall ports to serve on.
	allow_call_firewalld(webservd)

	allow webservd self:capability { net_bind_service };
	allow webservd webservd_data_file:dir rw_dir_perms;
	allow webservd webservd_data_file:file create_file_perms;
	allow webservd webservd_service:service_manager { add find };