platform_system_sepolicy/private/fsverity_init.te

type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;

init_daemon_domain(fsverity_init)

# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;

# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };

# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
Revert "Remove fsverity_init SELinux rules" Revert submission 2662658-fsverity-init-cleanup Reason for revert: Culprit for test breakage b/293232766 Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3 2023-07-26 08:21:30 +02:00			`type fsverity_init, domain, coredomain;`
			`type fsverity_init_exec, exec_type, file_type, system_file_type;`

			`init_daemon_domain(fsverity_init)`

			`# Allow to read /proc/keys for searching key id.`
			`allow fsverity_init proc_keys:file r_file_perms;`

			`# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.`
			`dontaudit fsverity_init domain:key view;`
			`allow fsverity_init kernel:key { view search write setattr };`
			`allow fsverity_init fsverity_init:key { view search write };`

			`# Read the on-device signing certificate, to be able to add it to the keyring`
			`allow fsverity_init odsign:fd use;`
			`allow fsverity_init odsign_data_file:file { getattr read };`