vendor/hal_wifi_supplicant_default.te - platform/system/sepolicy - Git at Google

 # wpa supplicant or equivalent
 type hal_wifi_supplicant_default, domain;
 hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
 type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_wifi_supplicant_default)

 net_domain(hal_wifi_supplicant_default)
 # Create a socket for receiving info from wpa
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";

 # Allow wpa_supplicant to configure nl80211
 allow hal_wifi_supplicant_default proc_net:file write;

 # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
 hwbinder_use(hal_wifi_supplicant_default)
 allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
 binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)

 allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
 allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
 allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;

 # Write to security logs for audit.
 get_prop(hal_wifi_supplicant_default, device_logging_prop)

 # Devices upgrading to P may grant this permission in device-specific
 # policy along with the data_between_core_and_vendor_violators
 # attribute needed for an exemption.  However, devices that launch with
 # P should use /data/vendor/wifi, which is already granted in core
 # policy.  This is dontaudited here to avoid conditional
 # device-specific behavior in wpa_supplicant.
 dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
	# wpa supplicant or equivalent
	type hal_wifi_supplicant_default, domain;
	hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
	type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
	init_daemon_domain(hal_wifi_supplicant_default)

	net_domain(hal_wifi_supplicant_default)
	# Create a socket for receiving info from wpa
	type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";

	# Allow wpa_supplicant to configure nl80211
	allow hal_wifi_supplicant_default proc_net:file write;

	# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
	hwbinder_use(hal_wifi_supplicant_default)
	allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
	binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)

	allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
	allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
	allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;

	# Write to security logs for audit.
	get_prop(hal_wifi_supplicant_default, device_logging_prop)

	# Devices upgrading to P may grant this permission in device-specific
	# policy along with the data_between_core_and_vendor_violators
	# attribute needed for an exemption. However, devices that launch with
	# P should use /data/vendor/wifi, which is already granted in core
	# policy. This is dontaudited here to avoid conditional
	# device-specific behavior in wpa_supplicant.
	dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;