From b23d2876815ba214024895fa28c3e6bbd3cfbc40 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 8 Jan 2014 11:47:00 -0800
Subject: [PATCH] Allow keystore to talk to the tee

On manta, the keystore CTS tests are failing, because
keystore isn't allowed to talk to the tee. Allow it.

I've only seen this bug on manta, but it seems appropriate
for all domains.

Fixes the following denial:

<5>[  286.249563] type=1400 audit(1389210059.924:6): avc:  denied  { connectto } for  pid=126 comm="keystore" path=006D636461656D6F6E scontext=u:r:keystore:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket

Bug: 12450710
Change-Id: I07133d9abeaf967392118ba478a5a391cf0c5fa5
---
 keystore.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/keystore.te b/keystore.te
index 3b5ac3f69..f89504fbc 100644
--- a/keystore.te
+++ b/keystore.te
@@ -10,3 +10,4 @@ allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
+allow keystore tee:unix_stream_socket connectto;
-- 
GitLab