From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 28 Dec 2016 16:45:11 +0100
Subject: [refpolicy] [PATCH] kernel: never run in unconfined mode
Message-ID: <1482939911.3268.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update the kernel module so that it always runs in confined mode
and never runs in unconfined mode for maximum security.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/kernel.te |    4 ----
 1 file changed, 4 deletions(-)

diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te	2016-12-27 22:41:00.664390360 +0100
+++ b/policy/modules/kernel/kernel.te	2016-12-28 16:37:35.176698945 +0100
@@ -441,10 +441,6 @@ optional_policy(`
 	seutil_domtrans_setfiles(kernel_t)
 ')
 
-optional_policy(`
-	unconfined_domain_noaudit(kernel_t)
-')
-
 ########################################
 #
 # Unlabeled process local policy