From d4ebad8aefa5861dd2f79ae979351316974c3a08 Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Tue, 16 Nov 2021 23:21:21 -0800
Subject: [PATCH] health: Update README.md for SELinux rule example

Test: none
Bug: 177269435
Change-Id: Ifd5ef99e7dd1c27fe9973daa65ad70714f86a46b
---
 health/aidl/README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/health/aidl/README.md b/health/aidl/README.md
index 53a4f91201..3ee5232220 100644
--- a/health/aidl/README.md
+++ b/health/aidl/README.md
@@ -162,9 +162,26 @@ Add device specific permissions to the domain where the health HAL
 process is executed, especially if a device-specific `libhealthd` is used
 and/or device-specific storage related APIs are implemented.
 
+Example (assuming that your health AIDL service runs in domain
+`hal_health_tuna`:
+
+```text
+type hal_health_tuna, domain;
+hal_server_domain(hal_health_tuna, hal_health)
+type hal_health_tuna_exec, exec_type, vendor_file_type, file_type;
+
+# allow hal_health_tuna ...;
+```
+
 If you did not define a separate domain, the domain is likely
 `hal_health_default`. The device-specific rules for it is likely at
 `device/<manufacturer>/<device>/sepolicy/vendor/hal_health_default.te`.
+In this case, the aforementioned SELinux rules and types has already been
+defined. You only need to add device-specific permissions.
+
+```text
+# allow hal_health_default ...;
+```
 
 ### Implementing charger {#charger}