target/board/generic/sepolicy/goldfish_setup.te - platform/build - Git at Google

 # goldfish-setup service: runs init.goldfish.sh script
 type goldfish_setup, domain;
 type goldfish_setup_exec, exec_type, file_type;

 init_daemon_domain(goldfish_setup)

 # Inherit open file to shell (interpreter) for script.
 allow goldfish_setup shell_exec:file read;

 # Run ifconfig, route commands to configure interfaces and routes.
 allow goldfish_setup system_file:file execute_no_trans;
 allow goldfish_setup self:capability { net_admin net_raw };
 allow goldfish_setup self:udp_socket create_socket_perms;

 # Set net.eth0.dns*, debug.sf.nobootanimation
 unix_socket_connect(goldfish_setup, property, init)
 allow goldfish_setup system_prop:property_service set;
 allow goldfish_setup debug_prop:property_service set;
	# goldfish-setup service: runs init.goldfish.sh script
	type goldfish_setup, domain;
	type goldfish_setup_exec, exec_type, file_type;

	init_daemon_domain(goldfish_setup)

	# Inherit open file to shell (interpreter) for script.
	allow goldfish_setup shell_exec:file read;

	# Run ifconfig, route commands to configure interfaces and routes.
	allow goldfish_setup system_file:file execute_no_trans;
	allow goldfish_setup self:capability { net_admin net_raw };
	allow goldfish_setup self:udp_socket create_socket_perms;

	# Set net.eth0.dns*, debug.sf.nobootanimation
	unix_socket_connect(goldfish_setup, property, init)
	allow goldfish_setup system_prop:property_service set;
	allow goldfish_setup debug_prop:property_service set;