allow kernel block_device:dir search; allow kernel debug_block_device:blk_file rw_file_perms; allow kernel { tmpfs system_block_device }:blk_file read;