platform_system_sepolicy/private/netd.te

typeattribute netd coredomain;

init_daemon_domain(netd)

# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)

# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)

# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)

# give netd permission to setup iptables rule with xt_bpf
allow netd bpfloader:bpf prog_run;