Don't audit fsverity_init's view to domain:key Like the existing dontaudit, fsverity_init shouldn't need to view unrelevant keys. Bug: 193474772 Test: m Change-Id: I177bacdb89d0ed967cae84f109a5e841f2e7349f

commit: 12121797f4ed710063174f0499548be8c7f41d0c [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Tue Jul 13 12:21:54 2021 -0700
committer: Victor Hsieh <victorhsieh@google.com> Wed Jul 21 14:51:00 2021 +0000
tree: d7a3bce9b5528b6dd8e826aead9b7f29bd0bf21c
parent: 00edd4b09547ba366b86df7aa1702fec80b9b807 [diff]
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 42d142f..e069233 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te

@@ -6,9 +6,8 @@
 # Allow to read /proc/keys for searching key id.
 allow fsverity_init proc_keys:file r_file_perms;
 
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
 allow fsverity_init kernel:key { view search write setattr };
 allow fsverity_init fsverity_init:key { view search write };
commit	12121797f4ed710063174f0499548be8c7f41d0c	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Tue Jul 13 12:21:54 2021 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Wed Jul 21 14:51:00 2021 +0000
tree	d7a3bce9b5528b6dd8e826aead9b7f29bd0bf21c
parent	00edd4b09547ba366b86df7aa1702fec80b9b807 [diff]