cdae7debe6
We added these rules to the kernel domain when we removed them from unconfined to ensure that we did not break anything. But we have seen no uses of these rules and this matches our expectation that any actual operations that require these permissions occurs after switching to the init domain. Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
19 lines
639 B
Text
19 lines
639 B
Text
# Life begins with the kernel.
|
|
type kernel, domain;
|
|
|
|
allow kernel init:process dyntransition;
|
|
|
|
# The kernel is unconfined.
|
|
unconfined_domain(kernel)
|
|
|
|
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow kernel unlabeled:filesystem mount;
|
|
allow kernel fs_type:filesystem *;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel self:security setcheckreqprot;
|