microdroid/system/private/tombstone_transmit.te - platform/system/sepolicy - Git at Google

 type tombstone_transmit, domain, coredomain;
 type tombstone_transmit_exec, exec_type, system_file_type, file_type;

 init_daemon_domain(tombstone_transmit)

 # permission required to read the file & remove it from directory
 allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
 allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };

 allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;

 # allow tombstone_transmit to notify its initialization
 set_prop(tombstone_transmit, tombstone_transmit_status_prop)

 # Only tombstone_transmit can set its status
 neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;
	type tombstone_transmit, domain, coredomain;
	type tombstone_transmit_exec, exec_type, system_file_type, file_type;

	init_daemon_domain(tombstone_transmit)

	# permission required to read the file & remove it from directory
	allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
	allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };

	allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;

	# allow tombstone_transmit to notify its initialization
	set_prop(tombstone_transmit, tombstone_transmit_status_prop)

	# Only tombstone_transmit can set its status
	neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;