platform_system_sepolicy/private/init.te

# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
tmpfs_domain(init)

# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
recovery_only(`
  domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
  domain_auto_trans(init, logcat_exec, logpersist)
')

# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit init sysfs:dir write;