sepolicy/common/createns.te - device/generic/goldfish - Git at Google

 # Network namespace creation
 type createns, domain;
 type createns_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(createns)

 allow createns self:capability { sys_admin net_raw setuid setgid };
 allow createns varrun_file:dir { add_name search write };
 allow createns varrun_file:file { create mounton open read write };

 #Allow createns itself to be run by init in its own domain
 domain_auto_trans(init, createns_exec, createns);
 allow createns goldfish_setup:fd use;

 set_prop(createns, vendor_qemu_prop);
	# Network namespace creation
	type createns, domain;
	type createns_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(createns)

	allow createns self:capability { sys_admin net_raw setuid setgid };
	allow createns varrun_file:dir { add_name search write };
	allow createns varrun_file:file { create mounton open read write };

	#Allow createns itself to be run by init in its own domain
	domain_auto_trans(init, createns_exec, createns);
	allow createns goldfish_setup:fd use;

	set_prop(createns, vendor_qemu_prop);