sepolicy/servicemanager.te - device/lge/bullhead - Git at Google

 # Drop (user, group) to (nobody, nobody)
 allow servicemanager self:capability { setuid setgid setpcap net_raw };

 allow servicemanager init:dir search;
 allow servicemanager init:file { read open };
 allow servicemanager init:process getattr;
 #HACK allow servicemanager init_shell:dir search;
 #HACK allow servicemanager init_shell:file { read open };
 #HACK allow servicemanager init_shell:process getattr;
	# Drop (user, group) to (nobody, nobody)
	allow servicemanager self:capability { setuid setgid setpcap net_raw };

	allow servicemanager init:dir search;
	allow servicemanager init:file { read open };
	allow servicemanager init:process getattr;
	#HACK allow servicemanager init_shell:dir search;
	#HACK allow servicemanager init_shell:file { read open };
	#HACK allow servicemanager init_shell:process getattr;