# Allow init to mount firmware
allow init firmware_file:dir mounton;
allow init firmware_file:filesystem { getattr mount relabelfrom };
allow init custom_ab_block_device:lnk_file relabelto;
# This is needed for chaining a boot partition vbmeta
# descriptor, where init will probe the boot partition
# to read the chained vbmeta in the first-stage, then
# relabel /dev/block/by-name/boot_[a|b] to block_device
# after loading sepolicy in the second stage.
allow init boot_block_device:lnk_file relabelto;
allow init sysfs_scsi_devices_0000:file w_file_perms;
allow init per_boot_file:file ioctl;
allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };