;
; Objects are the resources in the system. They answer the question of
; what is being accessed when policy rules are checked.
;

; Files shipped with the OS.
(type os_t)
(roletype object_r os_t)
(context os (system_u object_r os_t s0))

; Executable files for PID 1 such as /sbin/init.
(type init_exec_t)
(roletype object_r init_exec_t)
(context init_exec (system_u object_r init_exec_t s0))

; Executable files for the API such as /usr/bin/apiserver.
(type api_exec_t)
(roletype object_r api_exec_t)
(context api_exec (system_u object_r api_exec_t s0))

; Executable files for NTP daemons such as /usr/sbin/chronyd.
(type clock_exec_t)
(roletype object_r clock_exec_t)
(context clock_exec (system_u object_r clock_exec_t s0))

; Executable files for network daemons such as /usr/sbin/wickedd.
(type network_exec_t)
(roletype object_r network_exec_t)
(context network_exec (system_u object_r network_exec_t s0))

; Executable files for message bus daemons such as
; /usr/bin/dbus-broker-launch.
(type bus_exec_t)
(roletype object_r bus_exec_t)
(context bus_exec (system_u object_r bus_exec_t s0))

; Executable files for container runtimes such as /usr/sbin/runc.
(type runtime_exec_t)
(roletype object_r runtime_exec_t)
(context runtime_exec (system_u object_r runtime_exec_t s0))

; Executable files for managing mounts such as /usr/bin/mount.
(type mount_exec_t)
(roletype object_r mount_exec_t)
(context mount_exec (system_u object_r mount_exec_t s0))

; Executable CNI plugins.
(type cni_exec_t)
(roletype object_r cni_exec_t)
(context cni_exec (system_u object_r cni_exec_t s0))

; Files under /proc.
(type proc_t)
(roletype object_r proc_t)
(context proc (system_u object_r proc_t s0))

; Files where we have no specific policy objectives, such as
; tmpfs mounts and various kernel filesystems.
(type any_t)
(roletype object_r any_t)
(context any (system_u object_r any_t s0))

; Files for system configuration.
(type etc_t)
(roletype object_r etc_t)
(context etc (system_u object_r etc_t s0))

; Files created on local storage.
(type local_t)
(roletype object_r local_t)
(context local (system_u object_r local_t s0))

; The "external_t" and "unlabeled_t" types were removed to simplify
; the policy. Add aliases for backwards compatibility.
(typealias external_t)
(typealias unlabeled_t)
(typealiasactual external_t local_t)
(typealiasactual unlabeled_t local_t)

; Files created by containers, or on their behalf.
(type data_t)
(roletype object_r data_t)
(context data (system_u object_r data_t s0))

; Alias "container_file_t" to "local_t" for compatibility with the
; container-selinux policy. Ideally it would be aliased to `data_t`
; but then kubelet applies the wrong label to plugin directories.
(typealias container_file_t)
(typealiasactual container_file_t local_t)

; Files for the API components.
(type private_t)
(roletype object_r private_t)
(context private (system_u object_r private_t s0))

; Files that are the API socket.
(type api_socket_t)
(roletype object_r api_socket_t)
(context api_socket (system_u object_r api_socket_t s0))

; Files for cached container layers.
(type cache_t)
(roletype object_r cache_t)
(context cache (system_u object_r cache_t s0))

; Alias "container_ro_file_t" to "cache_t" for compatibility with
; the container-selinux policy.
(typealias container_ro_file_t)
(typealiasactual container_ro_file_t cache_t)

; Files for saved DHCP leases.
(type lease_t)
(roletype object_r lease_t)
(context lease (system_u object_r lease_t s0))

; Files for saved clock measurements.
(type measure_t)
(roletype object_r measure_t)
(context measure (system_u object_r measure_t s0))

; Files for saved system state.
(type state_t)
(roletype object_r state_t)
(context state (system_u object_r state_t s0))

; Files for saved system secrets.
(type secret_t)
(roletype object_r secret_t)
(context secret (system_u object_r secret_t s0))

; Dynamic objects are files on temporary storage with special rules.
(typeattribute dynamic_o)
(typeattributeset dynamic_o (etc_t))

; Shared objects are files on local storage for containers.
(typeattribute shared_o)
(typeattributeset shared_o (local_t data_t cni_exec_t))

; Unshared objects are all other files.
(typeattribute unshared_o)
(typeattributeset unshared_o (xor (all_o) (shared_o)))

; Constrained objects are files where MCS constraints apply.
(typeattribute constrained_o)
(typeattributeset constrained_o (data_t))

; Unconstrained objects are not affected by MCS constraints.
(typeattribute unconstrained_o)
(typeattributeset unconstrained_o (xor (all_o) (constrained_o)))

; Protected objects are files on local storage with special rules.
(typeattribute protected_o)
(typeattributeset protected_o (
  cache_t private_t lease_t measure_t secret_t state_t))

; Restricted objects are files that cannot be read by all processes.
(typeattribute restricted_o)
(typeattributeset restricted_o (private_t secret_t))

; Immutable objects reside on read-only storage.
(typeattribute immutable_o)
(typeattributeset immutable_o (
  os_t init_exec_t api_exec_t clock_exec_t
  network_exec_t bus_exec_t runtime_exec_t
  mount_exec_t))

; Mutable objects are all other files.
(typeattribute mutable_o)
(typeattributeset mutable_o (xor (all_o) (immutable_o)))

; Ephemeral objects reside on tmpfs filesystems.
(typeattribute ephemeral_o)
(typeattributeset ephemeral_o (any_t proc_t))

; The set of all objects.
(typeattribute all_o)
(typeattributeset all_o (
  os_t init_exec_t api_exec_t clock_exec_t
  network_exec_t bus_exec_t runtime_exec_t
  mount_exec_t cni_exec_t
  any_t etc_t proc_t
  local_t data_t private_t secret_t cache_t
  lease_t measure_t state_t
  api_socket_t))