| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # Life begins with the kernel. |
| 2 | type kernel, domain; |
| Nick Kralevich | fed8a2a | 2014-01-24 20:43:07 -0800 | [diff] [blame] | 3 | |
| Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 4 | # setcon to init domain. |
| 5 | allow kernel self:process setcurrent; |
| Nick Kralevich | fed8a2a | 2014-01-24 20:43:07 -0800 | [diff] [blame] | 6 | allow kernel init:process dyntransition; |
| 7 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 8 | # The kernel is unconfined. |
| 9 | unconfined_domain(kernel) |
| Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 10 | |
| Stephen Smalley | 73b0346 | 2014-05-30 09:53:00 -0400 | [diff] [blame] | 11 | # cgroup filesystem initialization prior to setting the cgroup root directory label. |
| 12 | allow kernel unlabeled:dir search; |
| 13 | |
| Stephen Smalley | 718bf84 | 2014-06-18 10:31:27 -0400 | [diff] [blame] | 14 | # Mount usbfs. |
| 15 | allow kernel usbfs:filesystem mount; |
| 16 | |
| Stephen Smalley | eb1bbf2 | 2014-05-29 14:35:55 -0400 | [diff] [blame] | 17 | # init direct restorecon calls prior to switching to init domain |
| 18 | # /dev and /dev/socket |
| 19 | allow kernel { device socket_device }:dir relabelto; |
| 20 | # /dev/__properties__ |
| 21 | allow kernel properties_device:file relabelto; |
| 22 | # /sys |
| 23 | allow kernel sysfs:{ dir file lnk_file } relabelfrom; |
| 24 | allow kernel sysfs_type:{ dir file lnk_file } relabelto; |
| Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 25 | |
| 26 | # Initial setenforce by init prior to switching to init domain. |
| Nick Kralevich | abae8a9 | 2014-05-12 14:32:59 -0700 | [diff] [blame] | 27 | # We use dontaudit instead of allow to prevent a kernel spawned userspace |
| 28 | # process from turning off SELinux once enabled. |
| 29 | dontaudit kernel self:security setenforce; |
| Stephen Smalley | 8b51674 | 2014-01-08 09:29:30 -0500 | [diff] [blame] | 30 | |
| 31 | # Set checkreqprot by init.rc prior to switching to init domain. |
| 32 | allow kernel self:security setcheckreqprot; |
| Stephen Smalley | bac4ccc | 2014-06-18 10:09:35 -0400 | [diff] [blame] | 33 | |
| 34 | ### |
| 35 | ### neverallow rules |
| 36 | ### |
| 37 | |
| 38 | # The initial task starts in the kernel domain (assigned via |
| 39 | # initial_sid_contexts), but nothing ever transitions to it. |
| 40 | neverallow domain kernel:process { transition dyntransition }; |