Porting sepolicy rules from previous projects for init_citadel Bug: 145571484 Test: flash selinux modules to device and find avc errors gone Change-Id: I12038a621cd287f073f2b458d5cad94ee048ad66

commit: 997ddb47c84e90bde560ff2702ab5b31a92f337c [log] [tgz]
author: Alex Hong <rurumihong@google.com> Fri Dec 06 12:02:59 2019 +0800
committer: Alex Hong <rurumihong@google.com> Fri Dec 06 18:38:43 2019 +0800
tree: 618cf40213690291bbd863405f7ba8c1f0d24ec1
parent: 0c68c79fac82ae72aeacc0933b4d70afc8569b64 [diff]
diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te
index 604cbe0..3d3341d 100644
--- a/vendor/google/init_citadel.te
+++ b/vendor/google/init_citadel.te

@@ -1,4 +1,15 @@
 type init_citadel, domain;
 type init_citadel_exec, exec_type, vendor_file_type, file_type;
 type citadel_updater_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(init_citadel)
\ No newline at end of file
+
+init_daemon_domain(init_citadel)
+
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file x_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater_exec:file x_file_perms;
commit	997ddb47c84e90bde560ff2702ab5b31a92f337c	[log] [tgz]
author	Alex Hong <rurumihong@google.com>	Fri Dec 06 12:02:59 2019 +0800
committer	Alex Hong <rurumihong@google.com>	Fri Dec 06 18:38:43 2019 +0800
tree	618cf40213690291bbd863405f7ba8c1f0d24ec1
parent	0c68c79fac82ae72aeacc0933b4d70afc8569b64 [diff]