Select Git revision
kernel.te 978 B
# Life begins with the kernel.
type kernel, domain;
allow kernel init:process dyntransition;
# The kernel is unconfined.
unconfined_domain(kernel)
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
# For operations performed by kernel or init prior to switching to init domain.
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
allow kernel dev_type:blk_file rw_file_perms;
auditallow kernel dev_type:blk_file rw_file_perms;