1type keystore, domain; 2type keystore_exec, exec_type, file_type; 3 4# keystore daemon 5init_daemon_domain(keystore) 6typeattribute keystore mlstrustedsubject; 7binder_use(keystore) 8binder_service(keystore) 9allow keystore keystore_data_file:dir create_dir_perms; 10allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 11allow keystore keystore_exec:file { getattr }; 12allow keystore tee_device:chr_file rw_file_perms; 13allow keystore tee:unix_stream_socket connectto; 14 15### 16### Neverallow rules 17### 18### Protect ourself from others 19### 20 21neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; 22neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 23 24neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *; 25neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *; 26 27neverallow domain keystore:process ptrace; 28 29allow keystore keystore_service:service_manager add; 30 31# Check SELinux permissions. 32selinux_check_access(keystore) 33