move assert.te here

refpolicy/policy/modules/kernel/kernel.te

@@ -55,6 +55,14 @@ neverallow ~can_load_policy security_t:security load_policy;
 neverallow ~can_setenforce security_t:security setenforce;
 neverallow ~can_setsecparam security_t:security setsecparam;
 
+# enabling dyntransition breaks process tranquility.  If you dont
+# know what this means or dont understand the implications of a
+# dynamic transition, you shouldnt be using it!!!
+neverallow * *:process { setcurrent dyntransition };
+
+attribute can_load_kernmodule;
+neverallow ~can_load_kernmodule *:capability sys_module;
+
 ########################################
 #
 # sysfs_t is the type for /sys