public/system_server.te - LeafOS-Project/android_system_sepolicy - Gitiles

 #
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
 type system_server, domain;
 type system_server_tmpfs, file_type, mlstrustedobject;

 # Power controls for debugging/diagnostics
 get_prop(system_server, power_debug_prop)
 set_prop(system_server, power_debug_prop)

 neverallow {
   domain
   -init
   -vendor_init
   -system_server
   -shell
 } power_debug_prop:property_service set;
	#
	# System Server aka system_server spawned by zygote.
	# Most of the framework services run in this process.
	#
	type system_server, domain;
	type system_server_tmpfs, file_type, mlstrustedobject;

	# Power controls for debugging/diagnostics
	get_prop(system_server, power_debug_prop)
	set_prop(system_server, power_debug_prop)

	neverallow {
	domain
	-init
	-vendor_init
	-system_server
	-shell
	} power_debug_prop:property_service set;