# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;

allow init self:capability { sys_rawio mknod };

allow init dev_type:blk_file rw_file_perms;
allow init fs_type:filesystem *;
allow init {fs_type dev_type}:dir_file_class_set relabelto;
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
allow init kernel:system syslog_mod;
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;

# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;

# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };

# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };

# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;