Stephen Smalley sds at
Wed Aug 2 13:56:35 UTC 2006

On Wed, 2006-08-02 at 00:19 +0200, Axel Thimm wrote:
> On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote:
> > It would if init were running in kernel_t too.  But given that it is
> > running in init_t, I don't understand how its descendants got back to
> > kernel_t.  Unless the transition to init_t happened after starting the
> > descendants, e.g. you manually told init to re-exec via telinit.
> I didn't do so consiously. I rebooted the system and there is no
> hotplug_t trace anymore in the processes. What I think I missed is the
> reboot after the fixfiles command. But I don't understand how init
> would go back and forth into different security contexts.

I'd guess that init was told to re-exec via telinit u after you
relabeled the filesystem, so that it finally transitioned to the right
domain, but this didn't help already existing descendants of init that
had been spawned while it was still kernel_t (i.e. when you first booted
the system, /sbin/init had the wrong type, so init was left in kernel_t,
then you relabeled, then something told it to re-exec).  Performing an
update of libselinux, glibc, or SysVinit would have done a telinit u, I

> Anyway for me I'm happy that the system is in a normal selinux state
> (I hope) and that I can start using selinux in real life (permissive
> for now while learning).

Good, glad it is working now.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list