allow vold      self:capability { setgid setuid };
allow vold      fuse_device:chr_file rw_file_perms;
allow domain tty_device:chr_file rw_file_perms;
allow domain self:process execmem;
allow gpsd properties_device:chr_file rw_file_perms;
allow gpsd property_socket:sock_file rw_file_perms;
allow gpsd apk_data_file:dir rw_dir_perms;
allow gpsd apk_data_file:file create_file_perms;
allow gpsd properties_device:file rwx_file_perms;
allow gpsd init:unix_stream_socket connectto;
allow gpsd device:dir rw_dir_perms;
allow gpsd device:notdevfile_class_set create_file_perms;
allow gpsd devpts:chr_file create_file_perms;
allow {domain -untrusted_app -shell -isolated_app} graphics_device:chr_file rw_file_perms;
allow {domain -untrusted_app -shell -isolated_app} graphics_device:dir rw_dir_perms;
allow domain self:process execmem;
allow domain unlabeled:file { setattr getattr rename rw_file_perms };
allow domain unlabeled:dir { setattr getattr rename rw_dir_perms };
allow domain unlabeled:lnk_file { read };
allow domain ashmem_device:chr_file {execute};
dontaudit domain kernel:system module_request;