sepolicy.rule

# debug
allow system_server system_file file write

# context
create { system_lib_file vendor_file vendor_configs_file }
allow { system_file system_lib_file vendor_file vendor_configs_file } labeledfs filesystem associate
allow init { system_file system_lib_file vendor_file vendor_configs_file } { dir file } relabelfrom

# dir
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } blkio_dev dir search

# file
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } privapp_data_file file execute
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { vendor_audio_prop vendor_display_prop } file { read open getattr map }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } qemu_hw_prop file read
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } dirac_prop file { read open getattr }
allow crash_dump { privapp_data_file resourcecache_data_file vendor_overlay_file } file { read open getattr }

# service_manager
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } default_android_service service_manager find