Don't make kernel_t an unconfined domain

Unconfined domains are allowed to execute arbitrary files and most of
them without a transition. However, we would like to severely restrict
what binaries the kernel can execute and always force a transition to a
less privileged domain in order to mitigate privilege escalation
vulnerabilities via usermode helpers [1].

Fortunately, even without unconfined_domain_noaudit(), kernel_t is very
close to having all necessary permissions and all known missing ones
have already been added in previous commits. Previous commits also added
explicit transitions for all known usermode helpers, so we can now
simply remove the interface call that makes kernel_t an unconfined
domain and achieve the complete restricition to what binaries the kernel
can execute.

Note that this also requires adding domain_dyntrans_type() to
init_dyntrans() to avoid a neverallow rule violation.

After this patch, there are practicallyno files that kernel_t can
execute without a transition:

    $ sesearch -A -s kernel_t -p execute_no_trans
    allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True

And there is only a handful of domain transitions defined:

    $ sesearch -T -s kernel_t -c process
    type_transition kernel_t abrt_dump_oops_exec_t:process abrt_dump_oops_t;
    type_transition kernel_t abrt_helper_exec_t:process abrt_helper_t;
    type_transition kernel_t anaconda_exec_t:process anaconda_t;
    type_transition kernel_t bin_t:process kernel_generic_helper_t;
    type_transition kernel_t init_exec_t:process init_t;
    type_transition kernel_t kmod_exec_t:process kmod_t;
    type_transition kernel_t systemd_coredump_exec_t:process systemd_coredump_t;
    type_transition kernel_t systemd_systemctl_exec_t:process kernel_systemctl_t;
    type_transition kernel_t udev_exec_t:process udev_t;
    type_transition kernel_t usr_t:process kernel_generic_helper_t;

This demonstrates that the usermode helper path overwrite attack vector
is effectively mitigated when SELinux is enabled in enforcing mode and
provided that the attacker is not able to relabel a file to init_exec_t
(which, unfortunately, an unconfined user is able to do).

[1] https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

policy/modules/kernel/kernel.te

@@ -504,10 +504,6 @@ optional_policy(`
 	init_read_utmp(kernel_systemctl_t)
 ')
 
-optional_policy(`
-	unconfined_domain_noaudit(kernel_t)
-')
-
 optional_policy(`
 	virt_filetrans_home_content(kernel_t)
 ')

policy/modules/system/init.if

@@ -464,11 +464,12 @@ interface(`init_ranged_system_domain',`
 ## </param>
 #
 interface(`init_dyntrans',`
-    gen_require(`
-        type init_t;
-    ')
+	gen_require(`
+		type init_t;
+	')
 
-    dyntrans_pattern($1, init_t)
+	dyntrans_pattern($1, init_t)
+	domain_dyntrans_type($1)
 ')
 
 ########################################