ocontexts - platform/external/sepolicy - Git at Google

 sid kernel u:r:kernel:s0
 sid security u:object_r:kernel:s0
 sid unlabeled u:object_r:unlabeled:s0
 sid fs u:object_r:labeledfs:s0
 sid file u:object_r:unlabeled:s0
 sid file_labels u:object_r:unlabeled:s0
 sid init u:object_r:unlabeled:s0
 sid any_socket u:object_r:unlabeled:s0
 sid port u:object_r:port:s0
 sid netif u:object_r:netif:s0
 sid netmsg u:object_r:unlabeled:s0
 sid node u:object_r:node:s0
 sid igmp_packet u:object_r:unlabeled:s0
 sid icmp_socket u:object_r:unlabeled:s0
 sid tcp_socket u:object_r:unlabeled:s0
 sid sysctl_modprobe u:object_r:unlabeled:s0
 sid sysctl u:object_r:proc:s0
 sid sysctl_fs u:object_r:unlabeled:s0
 sid sysctl_kernel u:object_r:unlabeled:s0
 sid sysctl_net u:object_r:unlabeled:s0
 sid sysctl_net_unix u:object_r:unlabeled:s0
 sid sysctl_vm u:object_r:unlabeled:s0
 sid sysctl_dev u:object_r:unlabeled:s0
 sid kmod u:object_r:unlabeled:s0
 sid policy u:object_r:unlabeled:s0
 sid scmp_packet u:object_r:unlabeled:s0
 sid devnull u:object_r:null_device:s0

 # Label inodes via getxattr.
 fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
 fs_use_xattr jffs2 u:object_r:labeledfs:s0;
 fs_use_xattr ext2 u:object_r:labeledfs:s0;
 fs_use_xattr ext3 u:object_r:labeledfs:s0;
 fs_use_xattr ext4 u:object_r:labeledfs:s0;
 fs_use_xattr xfs u:object_r:labeledfs:s0;
 fs_use_xattr btrfs u:object_r:labeledfs:s0;

 # Label inodes from task label.
 fs_use_task pipefs u:object_r:pipefs:s0;
 fs_use_task sockfs u:object_r:sockfs:s0;

 # Label inodes from combination of task label and fs label.
 # Define type_transition rules if you want per-domain types.
 fs_use_trans devpts u:object_r:devpts:s0;
 fs_use_trans tmpfs u:object_r:tmpfs:s0;
 fs_use_trans devtmpfs u:object_r:device:s0;
 fs_use_trans shm u:object_r:shm:s0;
 fs_use_trans mqueue u:object_r:mqueue:s0;

 # Label inodes with the fs label.
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:sdcard:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:sdcard:s0

 # portcon statements go here, e.g.
 # portcon tcp 80 u:object_r:http_port:s0
	sid kernel u:r:kernel:s0
	sid security u:object_r:kernel:s0
	sid unlabeled u:object_r:unlabeled:s0
	sid fs u:object_r:labeledfs:s0
	sid file u:object_r:unlabeled:s0
	sid file_labels u:object_r:unlabeled:s0
	sid init u:object_r:unlabeled:s0
	sid any_socket u:object_r:unlabeled:s0
	sid port u:object_r:port:s0
	sid netif u:object_r:netif:s0
	sid netmsg u:object_r:unlabeled:s0
	sid node u:object_r:node:s0
	sid igmp_packet u:object_r:unlabeled:s0
	sid icmp_socket u:object_r:unlabeled:s0
	sid tcp_socket u:object_r:unlabeled:s0
	sid sysctl_modprobe u:object_r:unlabeled:s0
	sid sysctl u:object_r:proc:s0
	sid sysctl_fs u:object_r:unlabeled:s0
	sid sysctl_kernel u:object_r:unlabeled:s0
	sid sysctl_net u:object_r:unlabeled:s0
	sid sysctl_net_unix u:object_r:unlabeled:s0
	sid sysctl_vm u:object_r:unlabeled:s0
	sid sysctl_dev u:object_r:unlabeled:s0
	sid kmod u:object_r:unlabeled:s0
	sid policy u:object_r:unlabeled:s0
	sid scmp_packet u:object_r:unlabeled:s0
	sid devnull u:object_r:null_device:s0

	# Label inodes via getxattr.
	fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
	fs_use_xattr jffs2 u:object_r:labeledfs:s0;
	fs_use_xattr ext2 u:object_r:labeledfs:s0;
	fs_use_xattr ext3 u:object_r:labeledfs:s0;
	fs_use_xattr ext4 u:object_r:labeledfs:s0;
	fs_use_xattr xfs u:object_r:labeledfs:s0;
	fs_use_xattr btrfs u:object_r:labeledfs:s0;

	# Label inodes from task label.
	fs_use_task pipefs u:object_r:pipefs:s0;
	fs_use_task sockfs u:object_r:sockfs:s0;

	# Label inodes from combination of task label and fs label.
	# Define type_transition rules if you want per-domain types.
	fs_use_trans devpts u:object_r:devpts:s0;
	fs_use_trans tmpfs u:object_r:tmpfs:s0;
	fs_use_trans devtmpfs u:object_r:device:s0;
	fs_use_trans shm u:object_r:shm:s0;
	fs_use_trans mqueue u:object_r:mqueue:s0;

	# Label inodes with the fs label.
	genfscon rootfs / u:object_r:rootfs:s0
	# proc labeling can be further refined (longest matching prefix).
	genfscon proc / u:object_r:proc:s0
	genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0
	# selinuxfs booleans can be individually labeled.
	genfscon selinuxfs / u:object_r:selinuxfs:s0
	genfscon cgroup / u:object_r:cgroup:s0
	# sysfs labels can be set by userspace.
	genfscon sysfs / u:object_r:sysfs:s0
	genfscon inotifyfs / u:object_r:inotify:s0
	genfscon vfat / u:object_r:sdcard:s0
	genfscon debugfs / u:object_r:debugfs:s0
	genfscon fuse / u:object_r:sdcard:s0

	# portcon statements go here, e.g.
	# portcon tcp 80 u:object_r:http_port:s0