Revert "Remove fsverity_init SELinux rules"
Revert submission 2662658-fsverity-init-cleanup
Reason for revert: Culprit for test breakage b/293232766
Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup
Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 0000000..2e5089c
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,21 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;