vendor/vndservicemanager.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # vndservicemanager - the Binder context manager for vendor processes
 type vndservicemanager_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(vndservicemanager);

 allow vndservicemanager self:binder set_context_mgr;

 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
 allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;

 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;

 # Read vndservice_contexts
 allow vndservicemanager vndservice_contexts_file:file r_file_perms;

 add_service(vndservicemanager, service_manager_vndservice)

 # Start lazy services
 set_prop(vndservicemanager, ctl_interface_start_prop)

 # Check SELinux permissions.
 selinux_check_access(vndservicemanager)

 # Log to kmesg
 allow vndservicemanager kmsg_device:chr_file rw_file_perms;
	# vndservicemanager - the Binder context manager for vendor processes
	type vndservicemanager_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(vndservicemanager);

	allow vndservicemanager self:binder set_context_mgr;

	# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
	allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;

	allow vndservicemanager vndbinder_device:chr_file rw_file_perms;

	# Read vndservice_contexts
	allow vndservicemanager vndservice_contexts_file:file r_file_perms;

	add_service(vndservicemanager, service_manager_vndservice)

	# Start lazy services
	set_prop(vndservicemanager, ctl_interface_start_prop)

	# Check SELinux permissions.
	selinux_check_access(vndservicemanager)

	# Log to kmesg
	allow vndservicemanager kmsg_device:chr_file rw_file_perms;