android_system_sepolicy/clatd.te

# 464xlat daemon
type clatd, domain;
permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type;

net_domain(clatd)

# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };

allow clatd self:capability { net_admin setuid setgid };

# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
allow clatd self:capability dac_override;

allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
allow clatd self:tun_socket create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
allow clatd proc_net:file rw_file_perms;;