platform_system_sepolicy/system_server.te

#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain;
unconfined_domain(system_server);
relabelto_domain(system_server);

# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
    kill
    net_admin
    net_bind_service
    net_broadcast
    net_raw
    sys_boot
    sys_module
    sys_nice
    sys_resource
    sys_time
    sys_tty_config
};

# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
allow system_server system_wpa_socket:sock_file create_file_perms;

# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;

allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;

allow system_server backup_data_file:dir relabelto;
allow system_server cache_backup_file:dir relabelto;
allow system_server anr_data_file:dir relabelto;
allow system_server system_data_file:dir relabelto;
allow system_server apk_data_file:file relabelto;
allow system_server apk_tmp_file:file relabelto;
allow system_server cache_backup_file:file relabelto;
allow system_server apk_private_tmp_file:file relabelto;
allow system_server wallpaper_file:file relabelto;

# Access to wake locks
allow system_server sysfs_wake_lock:file rw_file_perms;