Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf

commit: cd905ec04e6db7f9116afe05c95c0d5e387e5b15 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu May 08 23:28:52 2014 -0700
committer: Nick Kralevich <nnk@google.com> Fri May 09 10:14:56 2014 -0700
tree: 5a19bf4e478a83d30033cd4da68c687fc11e10b8
parent: 1e9bb8be0f492d106940b3ac96aadcf196bc1420 [diff] [blame]
diff --git a/init.te b/init.te
index c05faba..68eab2e 100644
--- a/init.te
+++ b/init.te

@@ -23,3 +23,8 @@
 allow init shell:process transition;
 allow init ueventd:process transition;
 allow init watchdogd:process transition;
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
commit	cd905ec04e6db7f9116afe05c95c0d5e387e5b15	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu May 08 23:28:52 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Fri May 09 10:14:56 2014 -0700
tree	5a19bf4e478a83d30033cd4da68c687fc11e10b8
parent	1e9bb8be0f492d106940b3ac96aadcf196bc1420 [diff] [blame]