1type fsverity_init, domain, coredomain; 2type fsverity_init_exec, exec_type, file_type, system_file_type; 3 4init_daemon_domain(fsverity_init) 5 6# Allow to read /proc/keys for searching key id. 7allow fsverity_init proc_keys:file r_file_perms; 8 9# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. 10dontaudit fsverity_init domain:key view; 11allow fsverity_init kernel:key { view search write setattr }; 12allow fsverity_init fsverity_init:key { view search write }; 13 14# Read the on-device signing certificate, to be able to add it to the keyring 15allow fsverity_init odsign:fd use; 16allow fsverity_init odsign_data_file:file { getattr read }; 17 18# When kernel requests an algorithm, the crypto API first looks for an 19# already registered algorithm with that name. If it fails, the kernel creates 20# an implementation of the algorithm from templates. 21dontaudit fsverity_init kernel:system module_request; 22