sepolicy/init_foreground.te - device/google/marlin - Git at Google

 type init_foreground, domain;
 type init_foreground_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(init_foreground)

 allow init_foreground proc:file getattr;
 allow init_foreground proc_iomem:file getattr;
 allow init_foreground proc_meminfo:file getattr;
 allow init_foreground proc_sysrq:file getattr;
 dontaudit init_foreground proc_interrupts:file getattr;
 dontaudit init_foreground proc_stat:file getattr;
 dontaudit init_foreground proc_timer:file getattr;
 dontaudit init_foreground proc_zoneinfo:file getattr;

 allow init_foreground shell_exec:file { getattr read };
 allow init_foreground toolbox_exec:file rx_file_perms;

 allow init_foreground domain:dir { getattr search };
 allow init_foreground domain:file { read open };

 allow init_foreground kernel:process setsched;
	type init_foreground, domain;
	type init_foreground_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(init_foreground)

	allow init_foreground proc:file getattr;
	allow init_foreground proc_iomem:file getattr;
	allow init_foreground proc_meminfo:file getattr;
	allow init_foreground proc_sysrq:file getattr;
	dontaudit init_foreground proc_interrupts:file getattr;
	dontaudit init_foreground proc_stat:file getattr;
	dontaudit init_foreground proc_timer:file getattr;
	dontaudit init_foreground proc_zoneinfo:file getattr;

	allow init_foreground shell_exec:file { getattr read };
	allow init_foreground toolbox_exec:file rx_file_perms;

	allow init_foreground domain:dir { getattr search };
	allow init_foreground domain:file { read open };

	allow init_foreground kernel:process setsched;