; ; Subjects are the actors in the system. They answer the question of ; who is performing the access when policy rules are checked. ; ; Kernel threads. (type kernel_t) (roletype system_r kernel_t) (context kernel (system_u system_r kernel_t s0)) ; PID 1. (type init_t) (roletype system_r init_t) (context init (system_u system_r init_t s0)) ; Most processes that run outside of containers. (type system_t) (roletype system_r system_t) (context system (system_u system_r system_t s0)) ; Processes for managing mounts. (type mount_t) (roletype system_r mount_t) (context mount (system_u system_r mount_t s0)) ; Processes that back the API. (type api_t) (roletype system_r api_t) (context api (system_u system_r api_t s0)) ; Processes that run containers. (type runtime_t) (roletype system_r runtime_t) (context runtime (system_u system_r runtime_t s0)) ; Processes that manage network interfaces. (type network_t) (roletype system_r network_t) (context network (system_u system_r network_t s0)) ; Processes that manage the system clock. (type clock_t) (roletype system_r clock_t) (context clock (system_u system_r clock_t s0)) ; Processes that manage the system message bus. (type bus_t) (roletype system_r bus_t) (context bus (system_u system_r bus_t s0)) ; Processes that run inside containers. (type container_t) (roletype system_r container_t) (context container (system_u system_r container_t s0)) ; Processes that run inside containers that control the OS. (type control_t) (roletype system_r control_t) (context control (system_u system_r control_t s0)) ; Alias "spc_t" to "control_t" for compatibility with the ; container-selinux policy. (typealias spc_t) (typealiasactual spc_t control_t) ; Processes that run inside highly privileged containers. (type super_t) (roletype system_r super_t) (context admin (system_u system_r super_t s0)) ; The set of all subjects. (typeattribute all_s) (typeattributeset all_s ( kernel_t init_t system_t mount_t api_t network_t clock_t bus_t runtime_t container_t control_t super_t)) ; Subjects that are treated as a privileged part of the OS. (typeattribute privileged_s) (typeattributeset privileged_s (xor (all_s) (unprivileged_s))) ; Subjects that are treated as a trusted part of the OS. (typeattribute trusted_s) (typeattributeset trusted_s (xor (privileged_s) (control_t))) ; Subjects that are part of the OS, but confined through policy. (typeattribute confined_s) (typeattributeset confined_s (network_t clock_t bus_t)) ; Subjects that are not confined by policy. (typeattribute unconfined_s) (typeattributeset unconfined_s (xor (all_s) (confined_s))) ; Subjects that are not part of the OS. (typeattribute other_s) (typeattributeset other_s (container_t)) ; Subjects that are not treated as a privileged part of the OS. (typeattribute unprivileged_s) (typeattributeset unprivileged_s (confined_s other_s)) ; Subjects that are not treated as a trusted part of the OS. (typeattribute untrusted_s) (typeattributeset untrusted_s (xor (all_s) (trusted_s))) ; Subjects that are started from containers. (typeattribute container_s) (typeattributeset container_s (container_t control_t super_t)) ; Subjects that are shipped with the OS. (typeattribute host_s) (typeattributeset host_s (xor (all_s) (container_s))) ; Subjects that are allowed to manage the API datastore. (typeattribute api_s) (typeattributeset api_s (api_t super_t)) ; Subjects that are treated as container runtimes. (typeattribute runtime_s) (typeattributeset runtime_s (runtime_t super_t)) ; Subjects shipped with the OS that should only execute verified code. (typeattribute verified_s) (typeattributeset verified_s (xor (host_s) (runtime_t mount_t api_t))) ; Subjects that are allowed to manage the system clock. (typeattribute clock_s) (typeattributeset clock_s (clock_t system_t super_t)) ; Subjects that are allowed to manage network interfaces. (typeattribute network_s) (typeattributeset network_s (network_t system_t super_t control_t)) ; Subjects that are allowed to control system files. (typeattribute control_s) (typeattributeset control_s (control_t system_t super_t))