; Security identifiers (SIDs) are opaque references to contexts.
; Initial SIDs (ISIDs) are used for initialization and to label
; fixed objects. The list of ISIDs is defined by the kernel:
;   security/selinux/include/initial_sid_to_string.h
(sid kernel)
(sid security)
(sid unlabeled)
(sid fs)
(sid file)
(sid file_labels)
(sid init)
(sid any_socket)
(sid port)
(sid netif)
(sid netmsg)
(sid node)
(sid igmp_packet)
(sid icmp_socket)
(sid tcp_socket)
(sid sysctl_modprobe)
(sid sysctl)
(sid sysctl_fs)
(sid sysctl_kernel)
(sid sysctl_net)
(sid sysctl_net_unix)
(sid sysctl_vm)
(sid sysctl_dev)
(sid kmod)
(sid policy)
(sid scmp_packet)
(sid devnull)

; The order of ISIDs must match the kernel's order, for now.
(sidorder (
   kernel security unlabeled fs file file_labels init any_socket port
   netif netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe
   sysctl sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm
   sysctl_dev kmod policy scmp_packet devnull))

; Apply the "kernel" context for kernel and SELinux-related entities.
(sidcontext kernel kernel)
(sidcontext security kernel)
(sidcontext devnull kernel)

; Apply the "local" context for entities with an invalid context, and
; for files with no context at all, which are treated the same.
(sidcontext unlabeled local)
(sidcontext file local)

; Apply the "any" context for entities like sockets, ports, and
; network interfaces if they are otherwise unlabeled.
(sidcontext any_socket any)
(sidcontext port any)
(sidcontext netif any)
(sidcontext netmsg any)
(sidcontext node any)