kernel.te

# Life begins with the kernel.
type kernel, domain;
# The kernel is unconfined.
unconfined_domain(kernel)
relabelto_domain(kernel)

allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;

# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;