Blame - kernel.te - fp2-dev/platform/external/sepolicy

blob: 88ebc50924d0f7e6eb52ef8b6a4d327293f09b47 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# Life begins with the kernel.
				2	type kernel, domain;
Nick Kralevich	fed8a2a	2014-01-24 20:43:07 -0800	[diff] [blame]	3
				4	allow kernel init:process dyntransition;
				5
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	6	# The kernel is unconfined.
				7	unconfined_domain(kernel)
Nick Kralevich	0c9708b	2013-07-10 14:46:05 -0700	[diff] [blame]	8	relabelto_domain(kernel)
				9
				10	allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
Geremy Condra	217f8af	2013-09-05 15:36:30 -0700	[diff] [blame]	11	allow kernel unlabeled:filesystem mount;
Stephen Smalley	b081cc1	2014-02-10 13:29:38 -0500	[diff] [blame]	12	allow kernel fs_type:filesystem *;
Stephen Smalley	fea6e66	2013-12-06 08:05:53 -0500	[diff] [blame]	13
				14	# Initial setenforce by init prior to switching to init domain.
				15	allow kernel self:security setenforce;
Stephen Smalley	8b51674	2014-01-08 09:29:30 -0500	[diff] [blame]	16
				17	# Set checkreqprot by init.rc prior to switching to init domain.
				18	allow kernel self:security setcheckreqprot;
Stephen Smalley	5487ca0	2014-02-10 16:31:04 -0500	[diff] [blame]	19
				20	# For operations performed by kernel or init prior to switching to init domain.
				21	## TODO: Investigate whether it is safe to remove these
				22	allow kernel self:capability { sys_rawio mknod };
				23	auditallow kernel self:capability { sys_rawio mknod };
Stephen Smalley	3f40d4f	2014-02-11 14:40:14 -0500	[diff] [blame]	24	allow kernel dev_type:blk_file rw_file_perms;
				25	auditallow kernel dev_type:blk_file rw_file_perms;