| ### |
| ### Apps signed with the media key. |
| ### |
| |
| type media_app, domain; |
| app_domain(media_app) |
| platform_app_domain(media_app) |
| binder_service(media_app) |
| # Access the network. |
| net_domain(media_app) |
| # Access /dev/mtp_usb. |
| allow media_app mtp_device:chr_file rw_file_perms; |
| # Write to /cache. |
| allow media_app cache_file:dir rw_dir_perms; |
| allow media_app cache_file:file create_file_perms; |
| # Stat /cache/lost+found |
| allow media_app unlabeled:file getattr; |
| allow media_app unlabeled:dir getattr; |
| # Stat /cache/backup |
| allow media_app cache_backup_file:file getattr; |
| allow media_app cache_backup_file:dir getattr; |
| # Read files in the rootdir (in particular, file_contexts for restorecon). |
| allow media_app rootfs:file r_file_perms; |
| allow media_app download_file:dir rw_dir_perms; |
| allow media_app download_file:file create_file_perms; |
| # Allow platform apps to mark platform app data files as download files |
| relabelto_domain(media_app) |
| allow media_app platform_app_data_file:dir relabelfrom; |
| allow media_app download_file:dir relabelto; |