private/fsverity_init.te - LeafOS-Project/android_system_sepolicy - Gitiles

 type fsverity_init, domain, coredomain;
 type fsverity_init_exec, exec_type, file_type, system_file_type;

 init_daemon_domain(fsverity_init)

 # Allow to read /proc/keys for searching key id.
 allow fsverity_init proc_keys:file r_file_perms;

 # Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
 dontaudit fsverity_init domain:key view;
 allow fsverity_init kernel:key { view search write setattr };
 allow fsverity_init fsverity_init:key { view search write };

 # Read the on-device signing certificate, to be able to add it to the keyring
 allow fsverity_init odsign:fd use;
 allow fsverity_init odsign_data_file:file { getattr read };
	type fsverity_init, domain, coredomain;
	type fsverity_init_exec, exec_type, file_type, system_file_type;

	init_daemon_domain(fsverity_init)

	# Allow to read /proc/keys for searching key id.
	allow fsverity_init proc_keys:file r_file_perms;

	# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
	dontaudit fsverity_init domain:key view;
	allow fsverity_init kernel:key { view search write setattr };
	allow fsverity_init fsverity_init:key { view search write };

	# Read the on-device signing certificate, to be able to add it to the keyring
	allow fsverity_init odsign:fd use;
	allow fsverity_init odsign_data_file:file { getattr read };