From cdd83f4eaec5a7f8a923caaf5bef635397771ec4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:37 -0400
Subject: [PATCH] Confine keystore, but leave it permissive for now.

Change-Id: Ia92165478764b062e7e33e7741742f5ec8762ad9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 keystore.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/keystore.te b/keystore.te
index a7f4b4d64..a3aa4c8ad 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,6 +1,13 @@
 type keystore, domain;
+permissive keystore;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
 init_daemon_domain(keystore)
-unconfined_domain(keystore)
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file rw_file_perms;
-- 
GitLab