sepolicy/cnd.te - device/moto/shamu - Git at Google

 #permissive cnd;
 type cnd, domain, device_domain_deprecated;
 type cnd_exec, exec_type, file_type;

 # cnd is started by init, type transit from init domain to cnd domain
 init_daemon_domain(cnd)
 # associate netdomain as an attribute of cnd domain
 net_domain(cnd)

 allow cnd self:capability { net_raw setuid setgid };

 allow cnd netmgrd:dir search;
 allow cnd netmgrd:file r_file_perms;
	#permissive cnd;
	type cnd, domain, device_domain_deprecated;
	type cnd_exec, exec_type, file_type;

	# cnd is started by init, type transit from init domain to cnd domain
	init_daemon_domain(cnd)
	# associate netdomain as an attribute of cnd domain
	net_domain(cnd)

	allow cnd self:capability { net_raw setuid setgid };

	allow cnd netmgrd:dir search;
	allow cnd netmgrd:file r_file_perms;