type keystore, domain; type keystore_exec, exec_type, file_type; # keystore daemon init_daemon_domain(keystore) typeattribute keystore mlstrustedsubject; binder_use(keystore) binder_service(keystore) allow keystore keystore_data_file:dir create_dir_perms; allow keystore keystore_data_file:notdevfile_class_set create_file_perms; allow keystore keystore_exec:file { getattr }; allow keystore tee_device:chr_file rw_file_perms; allow keystore tee:unix_stream_socket connectto; ### ### Neverallow rules ### ### Protect ourself from others ### neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -keystore -init } keystore_data_file:dir *; neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; neverallow domain keystore:process ptrace; allow keystore keystore_service:service_manager add; # Audited locally. service_manager_local_audit_domain(keystore) auditallow keystore { service_manager_type -keystore_service }:service_manager find; # Check SELinux permissions. selinux_check_access(keystore)