| type cros_os_install_service, domain, chromeos_domain; |
| |
| domain_auto_trans_nnp(minijail, cros_os_install_service_exec, cros_os_install_service) |
| |
| log_writer(cros_os_install_service) |
| cros_dbus_client(cros_os_install_service) |
| |
| allow cros_os_install_service proc_cmdline:file r_file_perms; |
| |
| allow cros_os_install_service minijail:fifo_file r_file_perms; |
| allow cros_os_install_service minijail:fd use; |
| |
| filetrans_pattern(cros_os_install_service, cros_var_log_os_install_service, cros_var_log_os_install_service, file) |
| allow cros_os_install_service cros_var_log_os_install_service:file rw_file_perms; |
| |
| # Allow running chromeos-install |
| allow cros_os_install_service sh_exec:file rx_file_perms; |
| |
| # Allow mounting and unmounting the target stateful partition to copy the install log, these rules are needed only for Reven |
| no_arc(` |
| allow cros_os_install_service tmpfs:dir mounton; |
| allow cros_os_install_service cros_os_install_service:capability sys_admin; |
| allow cros_os_install_service kernel:process setsched; |
| allow cros_os_install_service labeledfs:filesystem { mount unmount }; |
| allow cros_os_install_service unlabeled:dir { search getattr write add_name create }; |
| ') |
