domain_trans(init, rootfs, vold)

# Allow vold to manage ASEC
allow vold sdcard_external:file create_file_perms;
allow vold vold_tmpfs:file create_file_perms;

# Allow vold to access fuse for fuse-based fs
allow vold fuse_device:chr_file rw_file_perms;

# NTFS-3g wants to drop permission
allow vold self:capability { setgid setuid };

# Vold can also run as minivold in the rootfs
recovery_only(`
  allow vold rootfs:dir { add_name write };
  allow vold rootfs:file execute_no_trans;
  allow vold vold_tmpfs:file link;
')

# External storage
allow vold storage_stub_file:dir { rw_file_perms search add_name };
allow vold mnt_media_rw_stub_file:dir r_dir_perms;
allow vold mkfs_exec:file { execute read open execute_no_trans };