init labeling question for targeted policy

Karsten Wade kwade at redhat.com
Sat Nov 27 13:03:56 UTC 2004 

On Wed, 2004-11-24 at 21:28, Colin Walters wrote:
> On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote:
> > My question about the targeted policy presumes that init re-execs itself
> > after loading the policy, whereby it picks up the unconfined_t domain
> > from the policy, as defined by a rule in
> > /etc/selinux/targeted/src/policy/domains/unconfined.te.
> > 
> >   role system_r types unconfined_t;
> 
> This just authorizes a role for a type, it doesn't define anything
> related to init.

I was looking for a blanket (default) rule that covered everything not
covered by policy in domains/program/*.te.

> > What rule tells init to re-exec itself in the targeted policy?  
> 
> Nothing in the policy tells init to re-exec itself; the code just does
> it.

I got started down this pathway from this paragraph in Russell's
article:

from http://www.redhat.com/magazine/001nov04/features/selinux/

"After the policy is loaded every running process (only init and kernel
threads as the policy is loaded early in the boot) will be assigned the
security context system_u:system_r:kernel_t (NB all kernel threads
started at any time will get that context). Once init has loaded the
policy it will re-exec itself. The policy contains the rule
domain_auto_trans(kernel_t, init_exec_t, init_t). This means that when
the kernel_t domain executes a file of type init_exec_t (for example,
/sbin/init) then the domain will automatically transition to init_t (the
correct domain for /sbin/init). After that init does its usual job and
the system boots. The kernel threads continue running as kernel_t."

This doesn't describe the targeted policy, I get that.  I found the
domain_auto_trans in kernel.te and found kernel.te in
domains/misc/unused in the targeted sources, so I drew the conclusion
that the behavior of init is as Russell says but the way it gets it's
context is different.

>   Do you mean, how does init get the unconfined_t type?  See:

[snip ref. to initial_sid_contexts]

This was a part of my question
> 
> > In the strict policy there is an explicit transition rule for init. The
> > file programs/misc/kernel.te has this rule:
> > 
> >   domain_auto_trans(kernel_t, init_exec_t, init_t)
> > 
> > In the targeted policy, kernel.te is in domains/misc/unused, so is not
> > called into play.  Correct? 
> 
> Well, kernel_t is actually an alias for init_t in targeted policy,
> according to apol.

>From domains/unconfined.te:

typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t
rpm_script_t logrotate_t };

Obviously I need to commit a little more time with apol. :)

>   The kernel starts out as unconfined_t, in my reading
> of initial_sid_contexts:
> 
> sid kernel      user_u:system_r:unconfined_t
> 
> Thus there is no transition at all in targeted policy.

init is started with the unconfined_t context?  Was this behavior that
changed between FC2 and FC3, or am I missing something fundamental here?

thx - Karsten
-- 
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

More information about the fedora-selinux-list mailing list