platform_system_sepolicy/system_app.te

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings.  These are not as privileged as the system
# server.
#
type system_app, domain;
permissive_or_unconfined(system_app)
app_domain(system_app)
binder_service(system_app)

# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)

# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;

# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;

# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };

# Talk to keystore.
unix_socket_connect(system_app, keystore, keystore)

# Read SELinux enforcing status.
selinux_getenforce(system_app)

# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir r_dir_perms;

# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
allow system_app radio_prop:property_service set;
allow system_app system_prop:property_service set;