private/netd.te - platform/system/sepolicy - Git at Google

 typeattribute netd coredomain;

 init_daemon_domain(netd)

 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)

 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)

 # Allow netd to start bpfloader_exec in its own domain
 domain_auto_trans(netd, bpfloader_exec, bpfloader)

 # give netd permission to setup iptables rule with xt_bpf
 allow netd bpfloader:bpf prog_run;
	typeattribute netd coredomain;

	init_daemon_domain(netd)

	# Allow netd to spawn dnsmasq in it's own domain
	domain_auto_trans(netd, dnsmasq_exec, dnsmasq)

	# Allow netd to start clatd in its own domain
	domain_auto_trans(netd, clatd_exec, clatd)

	# Allow netd to start bpfloader_exec in its own domain
	domain_auto_trans(netd, bpfloader_exec, bpfloader)

	# give netd permission to setup iptables rule with xt_bpf
	allow netd bpfloader:bpf prog_run;