| # installer daemon |
| type installd, domain; |
| type installd_exec, exec_type, file_type; |
| |
| init_daemon_domain(installd) |
| typeattribute installd mlstrustedsubject; |
| allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; |
| allow installd system_data_file:file create_file_perms; |
| allow installd system_data_file:lnk_file create; |
| allow installd dalvikcache_data_file:file create_file_perms; |
| allow installd dalvikcache_profiles_data_file:dir create_dir_perms; |
| allow installd dalvikcache_profiles_data_file:file create_file_perms; |
| allow installd { data_file_type -keystore_data_file }:dir create_dir_perms; |
| allow installd { data_file_type -keystore_data_file }:dir { relabelfrom relabelto }; |
| allow installd { data_file_type -keystore_data_file }:{ file_class_set } { getattr unlink }; |
| allow installd apk_data_file:file r_file_perms; |
| allow installd apk_tmp_file:file r_file_perms; |
| allow installd oemfs:dir r_dir_perms; |
| allow installd oemfs:file r_file_perms; |
| allow installd system_file:file x_file_perms; |
| allow installd cgroup:dir create_dir_perms; |
| # Check validity of SELinux context before use. |
| selinux_check_context(installd) |
| # Read /seapp_contexts and /data/security/seapp_contexts |
| security_access_policy(installd) |
| # ASEC |
| allow installd app_data_file:lnk_file { create setattr }; |
| allow installd asec_apk_file:file r_file_perms; |
| allow installd bluetooth_data_file:lnk_file { create setattr }; |
| allow installd nfc_data_file:lnk_file { create setattr }; |
| allow installd radio_data_file:lnk_file { create setattr }; |
| allow installd shell_data_file:lnk_file { create setattr }; |
| allow installd system_app_data_file:lnk_file { create setattr }; |
| # restorecon /data/data |
| allow installd unlabeled:dir relabelfrom; |
| allow installd unlabeled:notdevfile_class_set relabelfrom; |
| allow installd system_data_file:dir relabelfrom; |
| allow installd system_data_file:notdevfile_class_set relabelfrom; |
| allow installd system_app_data_file:dir { relabelfrom relabelto }; |
| allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto }; |
| allow installd bluetooth_data_file:dir { relabelfrom relabelto }; |
| allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto }; |
| allow installd nfc_data_file:dir { relabelfrom relabelto }; |
| allow installd nfc_data_file:notdevfile_class_set { relabelfrom relabelto }; |
| allow installd radio_data_file:dir { relabelfrom relabelto }; |
| allow installd radio_data_file:notdevfile_class_set { relabelfrom relabelto }; |
| allow installd app_data_file:dir { relabelfrom relabelto }; |
| allow installd app_data_file:notdevfile_class_set { relabelfrom relabelto }; |
| allow installd shell_data_file:dir { relabelfrom relabelto }; |
| allow installd shell_data_file:notdevfile_class_set { relabelfrom relabelto }; |