recovery_only(`

# Secure adb (setup_adbd)
allow adbd adb_keys_file:dir search;
allow recovery adb_keys_file:dir r_dir_perms;
allow recovery adb_keys_file:file r_file_perms;
allow recovery shell_prop:property_service set;

# Recovery dialogs
unix_socket_connect(recovery, vold, vold)
allow recovery tmpfs:sock_file create_file_perms;

# Read packages.xml
allow recovery system_data_file:file r_file_perms;

# Manage fstab and /adb_keys
allow recovery rootfs:file create_file_perms;
allow recovery rootfs:dir { write add_name };

# Read /data/media files and directories
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;

# Control properties
allow recovery recovery_prop:property_service set;

')