kernel.te

# Life begins with the kernel.
type kernel, domain;

allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)

allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
allow kernel fs_type:filesystem *;

# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;

# For operations performed by kernel or init prior to switching to init domain.
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
allow kernel dev_type:blk_file rw_file_perms;
auditallow kernel dev_type:blk_file rw_file_perms;