init labeling question for targeted policy
Karsten Wade
kwade at redhat.com
Mon Nov 29 18:12:37 UTC 2004
On Mon, 2004-11-29 at 06:28, Stephen Smalley wrote:
> On Wed, 2004-11-24 at 18:47, Karsten Wade wrote:
> > Which one of these paths, if any, is leading in the right direction?
>
> There are a set of predefined SIDs (called initial SIDs) used for
> bootstrapping prior to initial policy load. When SELinux first
> initializes (during kernel initialization, well before policy load), the
> kernel assigns the initial task the "kernel" initial SID. Later, when
> the policy is loaded, the initial SIDs are mapped to security contexts
> in the policy via the initial_sid_contexts configuration, and the kernel
> can begin to get SIDs dynamically from the security server. In the
> strict policy, the "kernel" initial SID maps to kernel_t, and the policy
> defines a transition from kernel_t to init_t upon execution of
> init_exec_t, so when /sbin/init re-executes itself after loading policy,
> it transitions to init_t. In the targeted policy, the "kernel" initial
> SID maps to unconfined_t, and there is no transition defined in the
> targeted policy upon executing init_exec_t, so /sbin/init remains in
> unconfined_t even after the re-exec.
Excellent, thank you, that makes perfect sense.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
More information about the fedora-selinux-list
mailing list