init labeling question for targeted policy
Colin Walters
walters at redhat.com
Thu Nov 25 05:28:43 UTC 2004
On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote:
> My question about the targeted policy presumes that init re-execs itself
> after loading the policy, whereby it picks up the unconfined_t domain
> from the policy, as defined by a rule in
> /etc/selinux/targeted/src/policy/domains/unconfined.te.
>
> role system_r types unconfined_t;
This just authorizes a role for a type, it doesn't define anything
related to init.
> What rule tells init to re-exec itself in the targeted policy?
Nothing in the policy tells init to re-exec itself; the code just does
it. Do you mean, how does init get the unconfined_t type? See:
> In the strict policy there is an explicit transition rule for init. The
> file programs/misc/kernel.te has this rule:
>
> domain_auto_trans(kernel_t, init_exec_t, init_t)
>
> In the targeted policy, kernel.te is in domains/misc/unused, so is not
> called into play. Correct?
Well, kernel_t is actually an alias for init_t in targeted policy,
according to apol. The kernel starts out as unconfined_t, in my reading
of initial_sid_contexts:
sid kernel user_u:system_r:unconfined_t
Thus there is no transition at all in targeted policy.
More information about the fedora-selinux-list
mailing list