init labeling question for targeted policy
Stephen Smalley
sds at epoch.ncsc.mil
Mon Nov 29 14:28:18 UTC 2004
On Wed, 2004-11-24 at 18:47, Karsten Wade wrote:
> Which one of these paths, if any, is leading in the right direction?
There are a set of predefined SIDs (called initial SIDs) used for
bootstrapping prior to initial policy load. When SELinux first
initializes (during kernel initialization, well before policy load), the
kernel assigns the initial task the "kernel" initial SID. Later, when
the policy is loaded, the initial SIDs are mapped to security contexts
in the policy via the initial_sid_contexts configuration, and the kernel
can begin to get SIDs dynamically from the security server. In the
strict policy, the "kernel" initial SID maps to kernel_t, and the policy
defines a transition from kernel_t to init_t upon execution of
init_exec_t, so when /sbin/init re-executes itself after loading policy,
it transitions to init_t. In the targeted policy, the "kernel" initial
SID maps to unconfined_t, and there is no transition defined in the
targeted policy upon executing init_exec_t, so /sbin/init remains in
unconfined_t even after the re-exec.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list