fsck.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # e2fsck or any other fsck program run by init.
 type fsck, domain;
 type fsck_exec, exec_type, file_type;
 permissive_or_unconfined(fsck)

 init_daemon_domain(fsck)

 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
 allow fsck tmpfs:chr_file { read write ioctl };

 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck devpts:chr_file { read write ioctl getattr };

 # Run e2fsck on block devices.
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;

 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;
	# e2fsck or any other fsck program run by init.
	type fsck, domain;
	type fsck_exec, exec_type, file_type;
	permissive_or_unconfined(fsck)

	init_daemon_domain(fsck)

	# /dev/__null__ created by init prior to policy load,
	# open fd inherited by fsck.
	allow fsck tmpfs:chr_file { read write ioctl };

	# Inherit and use pty created by android_fork_execvp_ext().
	allow fsck devpts:chr_file { read write ioctl getattr };

	# Run e2fsck on block devices.
	allow fsck userdata_block_device:blk_file rw_file_perms;
	allow fsck cache_block_device:blk_file rw_file_perms;

	# Only allow entry from init via the e2fsck binary.
	neverallow { domain -init } fsck:process transition;
	neverallow domain fsck:process dyntransition;
	neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;