kernel.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Life begins with the kernel.
 type kernel, domain;

 allow kernel init:process dyntransition;

 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)

 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
 allow kernel fs_type:filesystem *;

 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;

 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;

 # For operations performed by kernel or init prior to switching to init domain.
 ## TODO: Investigate whether it is safe to remove these
 allow kernel self:capability { sys_rawio mknod };
 auditallow kernel self:capability { sys_rawio mknod };
 allow kernel dev_type:blk_file rw_file_perms;
 auditallow kernel dev_type:blk_file rw_file_perms;
	# Life begins with the kernel.
	type kernel, domain;

	allow kernel init:process dyntransition;

	# The kernel is unconfined.
	unconfined_domain(kernel)
	relabelto_domain(kernel)

	allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
	allow kernel unlabeled:filesystem mount;
	allow kernel fs_type:filesystem *;

	# Initial setenforce by init prior to switching to init domain.
	allow kernel self:security setenforce;

	# Set checkreqprot by init.rc prior to switching to init domain.
	allow kernel self:security setcheckreqprot;

	# For operations performed by kernel or init prior to switching to init domain.
	## TODO: Investigate whether it is safe to remove these
	allow kernel self:capability { sys_rawio mknod };
	auditallow kernel self:capability { sys_rawio mknod };
	allow kernel dev_type:blk_file rw_file_perms;
	auditallow kernel dev_type:blk_file rw_file_perms;