| # Domain where the postinstall program runs during the update. |
| # Extend the permissions in this domain to allow this program to access other |
| # files needed by the specific device on your device's sepolicy directory. |
| type postinstall, domain; |
| |
| # Allow postinstall to write to its stdout/stderr when redirected via pipes to |
| # update_engine. |
| allow postinstall update_engine:fd use; |
| allow postinstall update_engine:fifo_file rw_file_perms; |
| |
| # Allow postinstall to read and execute directories and files in the same |
| # mounted location. |
| allow postinstall postinstall_file:file rx_file_perms; |
| allow postinstall postinstall_file:lnk_file r_file_perms; |
| allow postinstall postinstall_file:dir r_dir_perms; |
| |
| # Allow postinstall to execute the shell or other system executables. |
| allow postinstall shell_exec:file rx_file_perms; |
| allow postinstall system_file:file rx_file_perms; |
| allow postinstall toolbox_exec:file rx_file_perms; |
| |
| # No domain other than update_engine should transition to postinstall, as it is |
| # only meant to run during the update. |
| neverallow { domain -update_engine } postinstall:process { transition dyntransition }; |