### ### Apps signed with the media key. ### type media_app, domain; app_domain(media_app) platform_app_domain(media_app) binder_service(media_app) # Access the network. net_domain(media_app) # Access /dev/mtp_usb. allow media_app mtp_device:chr_file rw_file_perms; # Write to /cache. allow media_app cache_file:dir rw_dir_perms; allow media_app cache_file:file create_file_perms; # Stat /cache/lost+found allow media_app unlabeled:file getattr; allow media_app unlabeled:dir getattr; # Stat /cache/backup allow media_app cache_backup_file:file getattr; allow media_app cache_backup_file:dir getattr; # Read files in the rootdir (in particular, file_contexts for restorecon). allow media_app rootfs:file r_file_perms; allow media_app download_file:dir rw_dir_perms; allow media_app download_file:file create_file_perms; # Allow platform apps to mark platform app data files as download files relabelto_domain(media_app) allow media_app platform_app_data_file:dir relabelfrom; allow media_app download_file:dir relabelto;