##
# trusted execution environment (tee) daemon
#
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)

allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms_no_ioctl;
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
allow tee ion_device:chr_file r_file_perms;
r_dir_file(tee, sysfs_type)

allow tee system_data_file:file { getattr read };
allow tee system_data_file:lnk_file { getattr read };
allow tee property_socket:sock_file { write };
allow tee init:unix_stream_socket { connectto };
allow tee vendor_default_prop:property_service { set };
allow tee vendor_data_file:dir { open create write read add_name };
allow tee vendor_data_file:file { open create write read };
allow tee unlabeled:dir { open create getattr search write read add_name };
allow tee unlabeled:file { open create write read };