# Life begins with the kernel.
type kernel, domain;

# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)

allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
allow kernel fs_type:filesystem *;

# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;