type shell, domain, mlstrustedsubject;
type shell_exec, file_type;
domain_auto_trans(init, shell_exec, shell)
allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;

# Access sdcard.
allow shell sdcard_type:dir rw_dir_perms;
allow shell sdcard_type:file create_file_perms;

r_dir_file(shell, apk_data_file)
allow shell dalvikcache_data_file:file { write setattr };

# Run logcat.
allow shell log_device:chr_file r_file_perms;

# Run app_process.
# XXX Split into its own domain?
app_domain(shell)

# Property Service
allow shell shell_prop:property_service set;

# setprop toolbox command
unix_socket_connect(shell, property, init)

# ctl interface
allow shell ctl_dumpstate_prop:property_service set;