blob: 4f68d0e88b2e27ff17b234c8caf891bc554d5726
1 | type imageserver, domain; |
2 | type imageserver_exec, exec_type, vendor_file_type, file_type; |
3 | |
4 | typeattribute imageserver mlstrustedsubject; |
5 | |
6 | init_daemon_domain(imageserver) |
7 | |
8 | allow imageserver vendor_file:file { execute }; |
9 | |
10 | #allow imageserver shell_exec:file rx_file_perms; |
11 | #allow imageserver system_file:file execute_no_trans; |
12 | |
13 | #allow imageserver imageserver_service:service_manager add; |
14 | |
15 | #allow imageserver imageserver_exec:file { entrypoint read }; |
16 | |
17 | #allow imageserver self:process execmem; |
18 | |
19 | #binder_use(imageserver); |
20 | #binder_call(imageserver, binderservicedomain) |
21 | #binder_call(imageserver, appdomain) |
22 | #binder_service(imageserver) |
23 | |
24 | #allow imageserver self:capability dac_override; |
25 | #allow imageserver self:capability dac_read_search; |
26 | |
27 | #allow imageserver appdomain:file { r_file_perms }; |
28 | #allow imageserver fuse:dir r_dir_perms; |
29 | #allow imageserver fuse:file r_file_perms; |
30 | #allow imageserver app_data_file:file rw_file_perms; |
31 | #allow imageserver system_file:file execmod; |
32 | |
33 | #allow imageserver app_data_file:dir search; |
34 | |
35 | #allow imageserver system_control_service:service_manager find; |
36 | |
37 | #allow imageserver { mnt_user_file storage_file }:dir { getattr search }; |
38 | #allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; |
39 | #allow imageserver permission_service:service_manager find; |
40 | |
41 | #allow imageserver picture_device:chr_file { read write open ioctl }; |
42 | #allow imageserver kernel:system module_request; |
43 | |
44 | #allow imageserver tmpfs:dir { getattr search }; |
45 |