From d4731ad8c78aade225aa7513332f546a603ddb53 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 22 Oct 2014 11:13:17 -0400
Subject: [PATCH] Remove -kernel -recovery from keystore_data_file neverallow.

Aside from the keystore daemon itself, only init needs any access
to keystore_data_file (in order to create and potentially restorecon
/data/misc/keystore).  The exceptions for the kernel and recovery domains
are unnecessary; no allow rule permits this access in current policy.

Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 keystore.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keystore.te b/keystore.te
index f2c5039b0..700b99ba0 100644
--- a/keystore.te
+++ b/keystore.te
@@ -21,8 +21,8 @@ allow keystore tee:unix_stream_socket connectto;
 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
 
-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
 
 neverallow domain keystore:process ptrace;
 
-- 
GitLab