| # Life begins with the kernel. |
| type kernel, domain; |
| |
| # setcon to init domain. |
| allow kernel self:process setcurrent; |
| allow kernel init:process dyntransition; |
| |
| # The kernel is unconfined. |
| unconfined_domain(kernel) |
| |
| # cgroup filesystem initialization prior to setting the cgroup root directory label. |
| allow kernel unlabeled:dir search; |
| |
| # init direct restorecon calls prior to switching to init domain |
| # /dev and /dev/socket |
| allow kernel { device socket_device }:dir relabelto; |
| # /dev/__properties__ |
| allow kernel properties_device:file relabelto; |
| # /sys |
| allow kernel sysfs:{ dir file lnk_file } relabelfrom; |
| allow kernel sysfs_type:{ dir file lnk_file } relabelto; |
| |
| # Initial setenforce by init prior to switching to init domain. |
| # We use dontaudit instead of allow to prevent a kernel spawned userspace |
| # process from turning off SELinux once enabled. |
| dontaudit kernel self:security setenforce; |
| |
| # Set checkreqprot by init.rc prior to switching to init domain. |
| allow kernel self:security setcheckreqprot; |