Update sepolicy/pawlet_device.te

sepolicy/pawlet_device.te

@@ -5,13 +5,17 @@ type pawlet_device_exec, exec_type, file_type, system_file_type;
 # Inherit from core domain
 typeattribute pawlet_device coredomain;
 
-# Property access
+# Property access - use proper macros ONLY
 get_prop(pawlet_device, vendor_default_prop)
 set_prop(pawlet_device, vendor_default_prop)
 
-# Framework interactions - use standard types
-allow pawlet_device system_file:file { read getattr };
-allow pawlet_device system_server:service_manager find;
+# Framework interactions - use proper macros
+# REMOVE direct service_manager access
+# allow pawlet_device system_server:service_manager find;
 
-# File access for properties
-allow pawlet_device vendor_default_prop:file { getattr open read map };
+# REMOVE all direct file access to properties
+# allow pawlet_device vendor_default_prop:file { getattr open read map };
+
+# If you need to interact with system services, use proper domains:
+allow pawlet_device system_server:binder { call transfer };
+allow pawlet_device servicemanager:binder { call transfer };