private/recovery_persist.te - platform/system/sepolicy - Git at Google

 typeattribute recovery_persist coredomain;

 init_daemon_domain(recovery_persist)

 # recovery_persist is not allowed to write anywhere other than recovery_data_file
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
	typeattribute recovery_persist coredomain;

	init_daemon_domain(recovery_persist)

	# recovery_persist is not allowed to write anywhere other than recovery_data_file
	# TODO: deal with tmpfs_domain pub/priv split properly
	neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;