platform_system_sepolicy/servicemanager.te

# servicemanager - the Binder context manager
type servicemanager, domain;
type servicemanager_exec, exec_type, file_type;

init_daemon_domain(servicemanager)

# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains.  It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;

# Get contexts of binder services that call servicemanager.
allow servicemanager binderservicedomain:dir search;
allow servicemanager binderservicedomain:file { read open };
allow servicemanager binderservicedomain:process getattr;
# Check SELinux permissions.
selinux_check_access(servicemanager)