init labeling question for targeted policy
Karsten Wade
kwade at redhat.com
Sat Nov 27 13:03:56 UTC 2004
On Wed, 2004-11-24 at 21:28, Colin Walters wrote:
> On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote:
> > My question about the targeted policy presumes that init re-execs itself
> > after loading the policy, whereby it picks up the unconfined_t domain
> > from the policy, as defined by a rule in
> > /etc/selinux/targeted/src/policy/domains/unconfined.te.
> >
> > role system_r types unconfined_t;
>
> This just authorizes a role for a type, it doesn't define anything
> related to init.
I was looking for a blanket (default) rule that covered everything not
covered by policy in domains/program/*.te.
> > What rule tells init to re-exec itself in the targeted policy?
>
> Nothing in the policy tells init to re-exec itself; the code just does
> it.
I got started down this pathway from this paragraph in Russell's
article:
from http://www.redhat.com/magazine/001nov04/features/selinux/
"After the policy is loaded every running process (only init and kernel
threads as the policy is loaded early in the boot) will be assigned the
security context system_u:system_r:kernel_t (NB all kernel threads
started at any time will get that context). Once init has loaded the
policy it will re-exec itself. The policy contains the rule
domain_auto_trans(kernel_t, init_exec_t, init_t). This means that when
the kernel_t domain executes a file of type init_exec_t (for example,
/sbin/init) then the domain will automatically transition to init_t (the
correct domain for /sbin/init). After that init does its usual job and
the system boots. The kernel threads continue running as kernel_t."
This doesn't describe the targeted policy, I get that. I found the
domain_auto_trans in kernel.te and found kernel.te in
domains/misc/unused in the targeted sources, so I drew the conclusion
that the behavior of init is as Russell says but the way it gets it's
context is different.
> Do you mean, how does init get the unconfined_t type? See:
[snip ref. to initial_sid_contexts]
This was a part of my question
>
> > In the strict policy there is an explicit transition rule for init. The
> > file programs/misc/kernel.te has this rule:
> >
> > domain_auto_trans(kernel_t, init_exec_t, init_t)
> >
> > In the targeted policy, kernel.te is in domains/misc/unused, so is not
> > called into play. Correct?
>
> Well, kernel_t is actually an alias for init_t in targeted policy,
> according to apol.
>From domains/unconfined.te:
typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t
rpm_script_t logrotate_t };
Obviously I need to commit a little more time with apol. :)
> The kernel starts out as unconfined_t, in my reading
> of initial_sid_contexts:
>
> sid kernel user_u:system_r:unconfined_t
>
> Thus there is no transition at all in targeted policy.
init is started with the unconfined_t context? Was this behavior that
changed between FC2 and FC3, or am I missing something fundamental here?
thx - Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
More information about the fedora-selinux-list
mailing list