1 # zygote 2 type zygote, domain; 3 type zygote_exec, exec_type, file_type; 4 5 init_daemon_domain(zygote) 6 typeattribute zygote mlstrustedsubject; 7 # Override DAC on files and switch uid/gid. 8 allow zygote self:capability { dac_override setgid setuid }; 9 # Switch SELinux context to app domains. 10 allow zygote system:process dyntransition; 11 allow zygote appdomain:process dyntransition; 12 # Move children into the peer process group. 13 allow zygote system:process { getpgid setpgid }; 14 allow zygote appdomain:process { getpgid setpgid }; 15 # Write to system data. 16 allow zygote system_data_file:dir rw_dir_perms; 17 allow zygote system_data_file:file create_file_perms; 18 allow zygote dalvikcache_data_file:dir rw_dir_perms; 19 allow zygote dalvikcache_data_file:file create_file_perms; 20 # Execute dexopt. 21 allow zygote system_file:file x_file_perms; 22 # Control cgroups. 23 allow zygote cgroup:dir create_dir_perms; 24 allow zygote self:capability sys_admin; 25 # Check validity of SELinux context before use. 26 selinux_check_context(zygote) 27 # Check SELinux permissions. 28 selinux_check_access(zygote) 29 # Read /seapp_contexts, presently on the rootfs. 30 allow zygote rootfs:file r_file_perms; 31 32
