platform_vendor_tequila/sepolicy/recovery.te

recovery_only(`

# Secure adb (setup_adbd)
allow adbd adb_keys_file:dir search;
allow recovery adb_keys_file:dir r_dir_perms;
allow recovery adb_keys_file:file r_file_perms;
allow recovery shell_prop:property_service set;

# Recovery dialogs
unix_socket_connect(recovery, vold, vold)
allow recovery tmpfs:sock_file create_file_perms;

# Read packages.xml
#allow recovery system_data_file:file r_file_perms;

# Manage fstab and /adb_keys
#allow recovery rootfs:file create_file_perms;
#allow recovery rootfs:file link;
#allow recovery rootfs:dir { write create rmdir add_name remove_name };

# Read storage files and directories
allow recovery tmpfs:dir mounton;
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;
allow recovery vfat:dir r_dir_perms;
allow recovery vfat:file r_file_perms;
allow recovery sdcard_type:dir r_dir_perms;
allow recovery sdcard_type:file r_file_perms;

# Control properties
allow recovery recovery_prop:property_service set;

# Set property sys.usb.ffs.ready
allow recovery ffs_prop:property_service set;

# recursive rm for wipes... :(
#allow app_data_file self:filesystem associate;
#allow recovery app_data_file:file { read open create write };
#allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

#allow recovery file_type:dir { rw_dir_perms rmdir };
#allow recovery file_type:notdevfile_class_set { unlink getattr };
# wipe saves and restores the layout version
#allow recovery install_data_file:file create_file_perms;
#allow recovery system_data_file:file create_file_perms;

# /cache/recovery things: command and logs
allow recovery cache_recovery_file:dir create_dir_perms;
allow recovery cache_recovery_file:file create_file_perms;

# set system properties for various things
allow recovery system_prop:property_service set;
')