1 type keystore, domain; 2 type keystore_exec, exec_type, file_type; 3 4 # keystore daemon 5 init_daemon_domain(keystore) 6 typeattribute keystore mlstrustedsubject; 7 binder_use(keystore) 8 binder_service(keystore) 9 allow keystore keystore_data_file:dir create_dir_perms; 10 allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 11 allow keystore keystore_exec:file { getattr }; 12 allow keystore tee_device:chr_file rw_file_perms; 13 allow keystore tee:unix_stream_socket connectto; 14 15 ### 16 ### Neverallow rules 17 ### 18 ### Protect ourself from others 19 ### 20 21 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; 22 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 23 24 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *; 25 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *; 26 27 neverallow domain keystore:process ptrace; 28 29 allow keystore keystore_service:service_manager add; 30 31 # Check SELinux permissions. 32 selinux_check_access(keystore) 33
