policy_module(selinux,1.0)

########################################
#
# Declarations
#

attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;

# 
# security_t is the target type when checking
# the permissions in the security class.  It is also
# applied to selinuxfs inodes.
#
type security_t;
fs_type(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)

neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam;