# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;

# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)

# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms;

# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro system_server_service:service_manager find;
allow shared_relro tmp_system_server_service:service_manager find;

service_manager_local_audit_domain(shared_relro)
auditallow shared_relro {
    tmp_system_server_service
    -webviewupdate_service
}:service_manager find;