Revert "Remove device specific SEPolicy"

Will follow with policy updates

This reverts commit 8e368fa918f244e214ee8bd53ce332ce6ad74663.

Change-Id: I58247300df68442709b44623e29b1bee0c6d5496

31 files changed, 479 insertions, 0 deletions

diff --git a/BoardCommonConfig.mk b/BoardCommonConfig.mk
index 3bd0668..3d22f0a 100644
--- a/BoardCommonConfig.mk
+++ b/BoardCommonConfig.mk
@@ -43,3 +43,6 @@ RECOVERY_FSTAB_VERSION := 2
 
 # assert
 TARGET_OTA_ASSERT_DEVICE := t0lte,t0ltexx,GT-N7105,t0ltedv,GT-N7105T,t0lteatt,SGH-I317,t0ltetmo,SGH-T889,t0ltecan,t0ltevl,SGH-I317M
+
+# Selinux
+BOARD_SEPOLICY_DIRS += \device/samsung/t0lte/selinux
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..a6e68b8
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1,2 @@
+allow bluetooth smd_device:chr_file { read write ioctl open };
+allow bluetooth sysfs:file { write };
\ No newline at end of file
diff --git a/selinux/device.te b/selinux/device.te
new file mode 100644
index 0000000..e4cec2d
--- /dev/null
+++ b/selinux/device.te
@@ -0,0 +1,27 @@
+type mali_device, dev_type, mlstrustedobject;
+type mfc_device, dev_type;
+type rfkill_device, dev_type;
+type wlan_device, dev_type;
+type modem_block_device, dev_type;
+type diagnostic_device, dev_type;
+type efs_block_device, dev_type;
+type mmc_block_device, dev_type;
+
+#SSR device
+type ssr_device, dev_type;
+
+#device type for smd device nodes, ie /dev/smd*
+type smd_device, dev_type;
+
+#Define the hsic device
+type hsic_device, dev_type;
+
+#Define the mhi device
+type mhi_device, dev_type;
+
+#Define the logging device type
+type diag_device, dev_type;
+type smem_log_device, dev_type;
+
+#Define rct device type for time daemon
+type rtc_device, dev_type;
diff --git a/selinux/dhcp.te b/selinux/dhcp.te
new file mode 100755
index 0000000..c403b9b
--- /dev/null
+++ b/selinux/dhcp.te
@@ -0,0 +1 @@
+allow dhcp self:rawip_socket { create write setopt };
diff --git a/selinux/domain.te b/selinux/domain.te
new file mode 100644
index 0000000..56c2d49
--- /dev/null
+++ b/selinux/domain.te
@@ -0,0 +1,7 @@
+## /dev/mali, /dev/ump
+allow domain mali_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`
+			  allow domain diag_device:chr_file rw_file_perms;
+') 
+
diff --git a/selinux/file.te b/selinux/file.te
new file mode 100644
index 0000000..07e5b83
--- /dev/null
+++ b/selinux/file.te
@@ -0,0 +1,30 @@
+type radio_efs_file, fs_type, contextmount_type;
+
+type firmware_mfc, file_type;
+type firmware_camera, file_type;
+
+type mdnie_sysfs, file_type;
+type vib_sysfs, file_type;
+
+type qmuxd_socket, file_type;
+type kickstart_data_file, file_type, data_file_type;
+type sensors_data_file, file_type, data_file_type;
+type volume_data_file, file_type, data_file_type;
+
+#File types required by mdm-helper
+type sysfs_esoc, sysfs_type, fs_type;
+type sysfs_ssr,  sysfs_type, fs_type;
+type sysfs_ssr_toggle,  sysfs_type, file_type;
+type sysfs_hsic, sysfs_type, fs_type;
+type sysfs_hsic_host_rdy, sysfs_type, file_type;
+
+#Define the timeout for platform specific transports
+type sysfs_hsic_modem_wait, sysfs_type, fs_type;
+type sysfs_smd_open_timeout, sysfs_type, fs_type;
+
+# Persist file types
+type persist_file, file_type;
+type persist_data_file, file_type;
+type persist_drm_file, file_type;
+type data_drm_file, file_type;
+
diff --git a/selinux/file_contexts b/selinux/file_contexts
new file mode 100644
index 0000000..c42fa2c
--- /dev/null
+++ b/selinux/file_contexts
@@ -0,0 +1,76 @@
+# GFX
+/dev/mali                               u:object_r:mali_device:s0
+/dev/ump                                u:object_r:mali_device:s0
+/dev/fimg2d                             u:object_r:mali_device:s0
+
+/dev/s3c-mfc							u:object_r:mfc_device:s0
+
+# RIL
+/dev/mdm                                u:object_r:radio_device:s0
+/dev/hsicctl[0-3]*                      u:object_r:radio_device:s0
+/dev/ttyUSB0                            u:object_r:radio_device:s0
+/dev/diag                               u:object_r:diagnostic_device:s0
+
+# GPS
+/dev/ttySAC1                            u:object_r:gps_device:s0
+
+# Bluetooth
+/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
+/efs/bluetooth(/.*)?                    u:object_r:bluetooth_data_file:s0
+
+# Sensors
+/dev/akm8963                            u:object_r:sensors_device:s0
+/efs/gyro_cal_data                      u:object_r:sensors_data_file:s0
+
+# Camera
+/data/ISP_CV                            u:object_r:camera_data_file:s0
+/dev/exynos-mem                         u:object_r:video_device:s0
+
+# For wpa_supp
+/dev/rfkill                             u:object_r:rfkill_device:s0
+
+# Firmwares
+/system/vendor/firmware(/.*)?           u:object_r:firmware_camera:s0
+/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
+/data/cfw(/.*)?                         u:object_r:firmware_camera:s0
+/tombstones                             u:object_r:system_data_file:s0
+/tombstones(/.*)?                       u:object_r:tombstone_data_file:s0
+/tombstones/qcks(/.*)?                  u:object_r:kickstart_data_file:s0
+
+# MDNIE
+/sys/class/mdnie/mdnie/scenario         u:object_r:mdnie_sysfs:s0
+/sys/class/mdnie/mdnie/mode             u:object_r:mdnie_sysfs:s0
+/sys/class/mdnie/mdnie/negative         u:object_r:mdnie_sysfs:s0
+/sys/class/lcd/panel/power_reduce       u:object_r:mdnie_sysfs:s0
+
+# Vibrator
+/dev/tspdrv                             u:object_r:input_device:s0
+/sys/vibrator/pwm_val                   u:object_r:vib_sysfs:s0
+
+# Wifi
+/efs/wifi/.mac.info                     u:object_r:wifi_data_file:s0
+
+# Sec-ril
+/efs/FactoryApp/keystr                  u:object_r:efs_file:s0
+/efs/FactoryApp/factorymode             u:object_r:efs_file:s0
+/efs/FactoryApp/serial_no               u:object_r:efs_file:s0
+/data/misc/radio/ramdumpmode.txt        u:object_r:radio_data_file:s0
+/data/misc/radio/dlnk                   u:object_r:radio_data_file:s0
+
+# Binaries
+/system/bin/qmuxd                u:object_r:qmuxd_exec:s0
+/system/bin/efsks                u:object_r:kickstart_exec:s0
+/system/bin/ks                   u:object_r:kickstart_exec:s0
+/system/bin/qcks                 u:object_r:kickstart_exec:s0
+
+# Sockets
+/dev/socket/qmux_audio(/.*)?     u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)?       u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)?     u:object_r:qmuxd_socket:s0
+
+# Block devices
+/dev/block/mmcblk0(.*)       u:object_r:mmc_block_device:s0
+
+# Audio related
+/data/local/audio(/.*)?         u:object_r:volume_data_file:s0
diff --git a/selinux/init.te b/selinux/init.te
new file mode 100644
index 0000000..2fdff9a
--- /dev/null
+++ b/selinux/init.te
@@ -0,0 +1,14 @@
+allow init wpa_socket:unix_dgram_socket { bind create };
+allow init su_exec:file { execute_no_trans };
+allow init init:process { execmem };
+allow init init:capability { sys_module };
+allow init radio_efs_file:filesystem { relabelto };
+allow init app_data_file:dir { read open setattr getattr relabelfrom };
+
+allow init_shell kernel:system { syslog_mod };
+allow init init:packet_socket { create bind write read };
+allow init init:rawip_socket { create setopt write };
+
+allow init_shell init:packet_socket { read write };
+
+
diff --git a/selinux/kickstart.te b/selinux/kickstart.te
new file mode 100755
index 0000000..d663145
--- /dev/null
+++ b/selinux/kickstart.te
@@ -0,0 +1,52 @@
+# kickstart processes and scripts
+type kickstart, domain;
+type kickstart_exec, exec_type, file_type;
+
+# kickstart_checker.sh talks to init over the property socket
+unix_socket_connect(kickstart, property, init)
+
+# Start /system/bin/qcks from init
+init_daemon_domain(kickstart)
+
+# Spawn /system/bin/efsks and /system/bin/ks
+allow kickstart kickstart_exec:file { open execute_no_trans getattr };
+
+# Run dd on m9kefs[123] block devices; write to /data/qcks/
+# Run cat on firmware and m9kefs[123] data; write to /data/qcks/
+allow kickstart mmc_block_device:blk_file { getattr read write open };
+allow kickstart kickstart_data_file:file create_file_perms;
+allow kickstart kickstart_data_file:dir rw_dir_perms;
+allow kickstart radio_efs_file:file r_file_perms;
+allow kickstart radio_efs_file:dir search;
+
+# Let qcks access /dev/mdm node (modem driver)
+allow kickstart radio_device:chr_file rw_file_perms;
+
+# Allow /dev/ttyUSB0 access
+allow kickstart radio_device:chr_file { write ioctl getattr };
+
+# Allow to run toolbox commands
+allow kickstart shell_exec:file rx_file_perms;
+# Toolbox commands for firmware dd
+allow kickstart system_file:file execute_no_trans;
+
+# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
+allow kickstart block_device:dir { getattr write search };
+
+# Set system property key
+allow kickstart radio_prop:property_service set;
+
+allow kickstart shell_exec:file entrypoint;
+# ls on /data/qcks/
+allow kickstart self:capability { dac_override setuid };
+
+# XXX Label sysfs files with a specific type?
+allow kickstart sysfs:file rw_file_perms;
+
+allow kickstart unlabeled:file { setattr getattr read write open };
+allow kickstart vfat:file { getattr read open };
+allow kickstart kickstart:process { execmem };
+#allow kickstart usbfs:filesystem { mount };
+allow kickstart usbfs:dir { search };
+#allow kickstart system_file:file { entrypoint };
+allow kickstart vfat:dir { search };
diff --git a/selinux/logd.te b/selinux/logd.te
new file mode 100644
index 0000000..d2378fd
--- /dev/null
+++ b/selinux/logd.te
@@ -0,0 +1,2 @@
+allow logd location_app:dir r_dir_perms;
+allow logd location_app:file r_file_perms;
\ No newline at end of file
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
new file mode 100644
index 0000000..65550ce
--- /dev/null
+++ b/selinux/mediaserver.te
@@ -0,0 +1,9 @@
+qmux_socket(mediaserver);
+allow mediaserver self:socket create_socket_perms;
+allow mediaserver { firmware_camera }:file r_file_perms;
+allow mediaserver firmware_camera:dir r_dir_perms;
+allow mediaserver camera_data_file:file rw_file_perms;
+allow mediaserver volume_data_file:file create_file_perms;
+allow mediaserver volume_data_file:dir create_dir_perms;
+allow mediaserver mfc_device:chr_file rw_file_perms;
+allow mediaserver system_data_file:file { write open };
diff --git a/selinux/netd.te b/selinux/netd.te
new file mode 100644
index 0000000..0fb1b6a
--- /dev/null
+++ b/selinux/netd.te
@@ -0,0 +1 @@
+allow netd kernel:system { module_request };
\ No newline at end of file
diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te
new file mode 100755
index 0000000..0f31fad
--- /dev/null
+++ b/selinux/netmgrd.te
@@ -0,0 +1,33 @@
+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+
+net_domain(netmgrd)
+# Started by init
+init_daemon_domain(netmgrd)
+
+
+allow netmgrd self:udp_socket { create ioctl };
+# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
+allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
+allow netmgrd self:packet_socket { write bind read create };
+allow netmgrd self:netlink_socket { write read create bind setopt };
+allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
+allow netmgrd kernel:system module_request;
+
+# Talk to qmuxd
+qmux_socket(netmgrd)
+
+# Allow logging diagnostic items
+allow netmgrd diagnostic_device:chr_file rw_file_perms;
+
+# /data/data_test/ access with shell
+allow netmgrd shell_exec:file { execute read open execute_no_trans };
+allow netmgrd system_file:file { execute_no_trans };
+
+# Talk to init over the property socket
+unix_socket_connect(netmgrd, property, init)
+# Set net.rmnet_usb0. values
+allow netmgrd radio_prop:property_service set;
+
+allow netmgrd netmgrd:process { execmem };
diff --git a/selinux/nfc.te b/selinux/nfc.te
new file mode 100644
index 0000000..9c8c37a
--- /dev/null
+++ b/selinux/nfc.te
@@ -0,0 +1 @@
+allow nfc firmware_camera:dir { search };
\ No newline at end of file
diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te
new file mode 100644
index 0000000..5845fcd
--- /dev/null
+++ b/selinux/qmiproxy.te
@@ -0,0 +1,5 @@
+type qmiproxy, domain;
+type qmiproxy_exec, exec_type, file_type;
+
+net_domain(qmiproxy)
+init_daemon_domain(qmiproxy)
\ No newline at end of file
diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te
new file mode 100644
index 0000000..da255f2
--- /dev/null
+++ b/selinux/qmuxd.te
@@ -0,0 +1,51 @@
+type qmuxd, domain;
+type qmuxd_exec, exec_type, file_type;
+net_domain(qmuxd)
+init_daemon_domain(qmuxd)
+
+userdebug_or_eng(`
+  domain_auto_trans(shell, qmuxd_exec, qmuxd)
+  domain_auto_trans(adbd, qmuxd_exec, qmuxd)
+')
+
+#Allow qmuxd to operate on various qmux device sockets
+#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+
+qmux_socket(qmuxd);
+
+#Allow logging
+allow qmuxd diag_device:chr_file { rw_file_perms };
+
+#Allow operation in platform specific transports
+allow qmuxd smd_device:chr_file { rw_file_perms };
+allow qmuxd hsic_device:chr_file { rw_file_perms };
+
+#Allow qmuxd to operate in platform specific transports
+allow qmuxd sysfs_smd_open_timeout:file w_file_perms;
+allow qmuxd sysfs_wake_lock:file { append open };
+
+#Allow qmuxd to write in hsic specific transport
+allow qmuxd sysfs:file w_file_perms;
+allow qmuxd radio_device:file w_file_perms;
+
+allow qmuxd self:capability { setuid setgid setpcap dac_override };
+
+#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
+allow qmuxd qmuxd:capability2 { block_suspend };
+
+allow qmuxd sysfs_esoc:dir r_dir_perms;
+allow qmuxd sysfs_hsic_modem_wait:file w_file_perms;
+allow qmuxd sysfs_esoc:lnk_file read;
+
+r_dir_file(qmuxd, sysfs_ssr);
+allow qmuxd mhi_device:chr_file rw_file_perms;
+
+allow qmuxd qmuxd:process { execmem };
+allow qmuxd radio_device:chr_file {read write open };
\ No newline at end of file
diff --git a/selinux/radio.te b/selinux/radio.te
new file mode 100644
index 0000000..6dc99b0
--- /dev/null
+++ b/selinux/radio.te
@@ -0,0 +1,4 @@
+# Talk to qmuxd (/dev/socket/qmux_radio)
+qmux_socket(radio) ;
+
+allow radio secril-daemon:unix_stream_socket { connectto };
\ No newline at end of file
diff --git a/selinux/rild.te b/selinux/rild.te
new file mode 100755
index 0000000..b81c43f
--- /dev/null
+++ b/selinux/rild.te
@@ -0,0 +1,29 @@
+#allow rild qmux_radio_socket:dir { write remove_name search add_name };
+#allow rild qmux_radio_socket:sock_file { write create unlink setattr };
+#allow rild qmuxd:unix_stream_socket connectto;
+qmux_socket(rild);
+binder_use(rild)
+
+allow rild ssr_device:chr_file { open read };
+allow rild sysfs_esoc:dir { search read open};
+allow rild sysfs_esoc:lnk_file { read };
+allow rild sysfs_esoc:file { write };
+allow rild sysfs_ssr:dir { open search read };
+allow rild sysfs_ssr:lnk_file { read open };
+
+allow rild mediaserver:binder { transfer call };
+
+#allow rild diag_device:chr_file { open read write };
+allow rild rild_socket:chr_file { open read write };
+
+allow rild sysfs_ssr:dir r_dir_perms;
+allow rild sysfs_ssr:lnk_file read;
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:file create_file_perms;
+#allow rild time_daemon:unix_stream_socket connectto;
+
+allow rild rild:process execmem;
+allow rild diagnostic_device:chr_file { read write open };
+allow rild radio_data_file:dir { setattr };
+allow rild init:unix_stream_socket { read write };
+allow rild proc_net:file { write };
diff --git a/selinux/secril.te b/selinux/secril.te
new file mode 100644
index 0000000..1b1cc0a
--- /dev/null
+++ b/selinux/secril.te
@@ -0,0 +1,38 @@
+# sec-ril
+type secril-daemon, domain;
+type secril-daemon_exec, exec_type, file_type;
+
+# Start /system/bin/sec-ril from init
+init_daemon_domain(secril-daemon)
+
+allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr };
+allow secril-daemon self:udp_socket { create ioctl };
+unix_socket_connect(secril-daemon, property, init)
+unix_socket_connect(secril-daemon, rild, rild)
+
+allow secril-daemon { efs_file }:file rw_file_perms;
+allow secril-daemon system_data_file:dir create_dir_perms;
+allow secril-daemon system_data_file:file unlink;
+allow secril-daemon radio_data_file:file { create_file_perms };
+allow secril-daemon kernel:system module_request;
+allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
+allow secril-daemon system_file:file x_file_perms;
+allow secril-daemon sysfs:file rw_file_perms;
+allow secril-daemon shell_exec:file rx_file_perms;
+allow secril-daemon app_data_file:file rw_file_perms;
+allow secril-daemon app_data_file:dir search;
+allow secril-daemon zygote_exec:file rx_file_perms;
+allow secril-daemon ashmem_device:chr_file x_file_perms;
+
+allow secril-daemon secril-daemon:process { execmem };
+allow secril-daemon unlabeled:dir { search };
+allow secril-daemon radio_prop:property_service { set };
+allow secril-daemon sysfs_wake_lock:file { read write open };
+allow secril-daemon unlabeled:file { read open getattr setattr };
+#allow secril-daemon system_file:file { entrypoint };
+allow secril-daemon radio_data_file:dir { search write add_name read open remove_name };
+allow secril-daemon efs_file:dir { search };
+allow secril-daemon rild_exec:file { entrypoint read };
+allow secril-daemon qmuxd_socket:dir { write add_name remove_name search };
+allow secril-daemon qmuxd_socket:sock_file { create setattr unlink };
+
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..f793106
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1,9 @@
+allow servicemanager rild:dir search;
+allow servicemanager rild:file r_file_perms;
+allow servicemanager rild:process getattr;
+allow servicemanager zygote:dir { search read open getattr };
+allow servicemanager zygote:file { read open };
+allow servicemanager zygote:process { getattr };
+allow servicemanager init:file rw_file_perms;
+allow servicemanager init:dir { search read open getattr };
+allow servicemanager init:process { getattr };
\ No newline at end of file
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
new file mode 100644
index 0000000..705bb8a
--- /dev/null
+++ b/selinux/sysinit.te
@@ -0,0 +1,4 @@
+allow sysinit mmc_block_device:file read;
+allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
+allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
+allow sysinit sysinit:capability { dac_override chown fowner fsetid };
diff --git a/selinux/system.te b/selinux/system.te
new file mode 100755
index 0000000..1160fd7
--- /dev/null
+++ b/selinux/system.te
@@ -0,0 +1,11 @@
+# Talk to qmuxd
+qmux_socket(system_server)
+
+allow system_server diagnostic_device:chr_file rw_file_perms;
+allow system_server sensors_device:chr_file { read open };
+allow system_server sensors_data_file:file r_file_perms;
+allow system_server wpa_socket:unix_dgram_socket sendto;
+allow system_app volume_data_file:file { read write open getattr };
+
+allow system_server sysfs:file { read open write };
+allow system_server self:capability { sys_module };
\ No newline at end of file
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..22ee485
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1,2 @@
+allow system_app mdnie_sysfs:file { write };
+allow system_app vib_sysfs:file { write };
\ No newline at end of file
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..0bf317f
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,5 @@
+allow system_server device:chr_file { ioctl };
+allow system_server uhid_device:file { read write open ioctl };
+allow system_server uhid_device:chr_file { read write open ioctl };
+allow system_server efs_file:dir { search };
+allow system_server efs_file:file r_file_perms;
diff --git a/selinux/te_macros b/selinux/te_macros
new file mode 100755
index 0000000..8378501
--- /dev/null
+++ b/selinux/te_macros
@@ -0,0 +1,13 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+allow $1 qmuxd_socket:dir create_dir_perms;
+unix_socket_connect($1, qmuxd, qmuxd)
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
+')
+
+
diff --git a/selinux/time_daemon.te b/selinux/time_daemon.te
new file mode 100644
index 0000000..5793197
--- /dev/null
+++ b/selinux/time_daemon.te
@@ -0,0 +1,21 @@
+# Policies for time daemon
+type time_daemon, domain;
+type time_daemon_exec, exec_type, file_type;
+type time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+allow time_daemon smem_log_device:chr_file rw_file_perms;
+
+# Add rules for access permissions
+#============= IOCTL operations ==============
+allow time_daemon rtc_device:chr_file { open read ioctl };
+allow time_daemon alarm_device:chr_file { open read write ioctl };
+
+#============= File read/write ==============
+allow time_daemon time_data_file:file { write create open read};
+allow time_daemon time_data_file:dir { write add_name search};
+allow time_daemon self:socket { write read create ioctl};
+allow time_daemon self:capability { setuid setgid };
+
+r_dir_file(time_daemon, sysfs_esoc);
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
new file mode 100644
index 0000000..df589f0
--- /dev/null
+++ b/selinux/ueventd.te
@@ -0,0 +1,7 @@
+# Drivers read firmware files /firmware/image
+allow ueventd { radio_efs_file }:file r_file_perms;
+allow ueventd { radio_efs_file }:dir search;
+## More Firmwares
+allow ueventd { firmware_mfc }:file r_file_perms;
+allow ueventd { firmware_camera }:dir search;
+allow ueventd firmware_camera:file { read open getattr };
\ No newline at end of file
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..3487976
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,2 @@
+allow vold kernel:system { module_request };
+allow vold mmc_block_device:blk_file { read write open ioctl getattr };
\ No newline at end of file
diff --git a/selinux/wpa.te b/selinux/wpa.te
new file mode 100644
index 0000000..32dc267
--- /dev/null
+++ b/selinux/wpa.te
@@ -0,0 +1,7 @@
+allow wpa persist_file:dir search;
+qmux_socket(wpa);
+
+allow wpa self:socket create_socket_perms;
+allow wpa smem_log_device:chr_file rw_file_perms;
+allow wpa proc_net:file write;
+allow wpa wifi_data_file:sock_file { write };
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
new file mode 100755
index 0000000..91a5c56
--- /dev/null
+++ b/selinux/wpa_supplicant.te
@@ -0,0 +1,10 @@
+allow wpa init:unix_dgram_socket { read write };
+
+# logwrapper used with wpa_supplicant
+allow wpa devpts:chr_file { read write };
+
+allow wpa wpa_socket:unix_dgram_socket { read write };
+allow wpa_socket system_server:unix_dgram_socket sendto;
+
+allow wpa_socket wifi_data_file:sock_file unlink;
+allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/selinux/zygote.te b/selinux/zygote.te
new file mode 100644
index 0000000..d25d524
--- /dev/null
+++ b/selinux/zygote.te
@@ -0,0 +1,3 @@
+allow zygote shell_data_file:dir search;
+allow zygote devpts:chr_file { read write };
+allow zygote init_shell:process { sigchld };