Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # Life begins with the kernel. |
| 2 | type kernel, domain; |
Nick Kralevich | fed8a2a | 2014-01-24 20:43:07 -0800 | [diff] [blame] | 3 | |
| 4 | allow kernel init:process dyntransition; |
| 5 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 6 | # The kernel is unconfined. |
| 7 | unconfined_domain(kernel) |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 8 | relabelto_domain(kernel) |
| 9 | |
| 10 | allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto; |
Geremy Condra | 217f8af | 2013-09-05 15:36:30 -0700 | [diff] [blame] | 11 | allow kernel unlabeled:filesystem mount; |
Stephen Smalley | b081cc1 | 2014-02-10 13:29:38 -0500 | [diff] [blame] | 12 | allow kernel fs_type:filesystem *; |
Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 13 | |
| 14 | # Initial setenforce by init prior to switching to init domain. |
| 15 | allow kernel self:security setenforce; |
Stephen Smalley | 8b51674 | 2014-01-08 09:29:30 -0500 | [diff] [blame] | 16 | |
| 17 | # Set checkreqprot by init.rc prior to switching to init domain. |
| 18 | allow kernel self:security setcheckreqprot; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 19 | |
| 20 | # For operations performed by kernel or init prior to switching to init domain. |
| 21 | ## TODO: Investigate whether it is safe to remove these |
| 22 | allow kernel self:capability { sys_rawio mknod }; |
| 23 | auditallow kernel self:capability { sys_rawio mknod }; |
Stephen Smalley | 3f40d4f | 2014-02-11 14:40:14 -0500 | [diff] [blame] | 24 | allow kernel dev_type:blk_file rw_file_perms; |
| 25 | auditallow kernel dev_type:blk_file rw_file_perms; |