Merge pull request #244 from dsugar100/master

policy/modules/kernel/domain.if

@@ -1487,6 +1487,32 @@ interface(`domain_all_recvfrom_all_domains',`
 	corenet_all_recvfrom_labeled($1, domain)
 ')
 
+########################################
+## <summary>
+##	Allow all domains to search specified type keys.
+## </summary>
+## <desc>
+##	<p>
+##	When setting up IMA/EVM key(s) are added to the 
+##	kernel keyring but the type of the key is the domain
+##	adding the key.  This interface will allow all domains
+##	search the key so IMA/EVM validation can happen.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type of key to be searched.
+##	</summary>
+## </param>
+#
+interface(`domain_public_key',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow domain $1:key search;
+')
+
 ########################################
 ## <summary>
 ##	Send generic signals to the unconfined domain.

policy/modules/kernel/kernel.if

@@ -491,6 +491,24 @@ interface(`kernel_dontaudit_view_key',`
 	dontaudit $1 kernel_t:key view;
 ')
 
+########################################
+## <summary>
+##	allow write access to the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow.
+##	</summary>
+## </param>
+#
+interface(`kernel_write_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key write;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to read the ring buffer.