From 72a4745919f8eb2fae998450935ed1f1d0e3bb2a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:40 -0400
Subject: [PATCH] Confine tee, but leave it permissive for now.

Change-Id: Id69b1fe80746429a550448b9168ac7e86c38aa9f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 tee.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tee.te b/tee.te
index 1aae06ea0..c612821d4 100644
--- a/tee.te
+++ b/tee.te
@@ -2,9 +2,14 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
+permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
-unconfined_domain(tee)
 init_daemon_domain(tee)
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket { create bind read };
-- 
GitLab