Re: init labeling question for targeted policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote:
> My question about the targeted policy presumes that init re-execs itself
> after loading the policy, whereby it picks up the unconfined_t domain
> from the policy, as defined by a rule in
> /etc/selinux/targeted/src/policy/domains/unconfined.te.
> 
>   role system_r types unconfined_t;

This just authorizes a role for a type, it doesn't define anything
related to init.

> What rule tells init to re-exec itself in the targeted policy?  

Nothing in the policy tells init to re-exec itself; the code just does
it.  Do you mean, how does init get the unconfined_t type?  See:

> In the strict policy there is an explicit transition rule for init. The
> file programs/misc/kernel.te has this rule:
> 
>   domain_auto_trans(kernel_t, init_exec_t, init_t)
> 
> In the targeted policy, kernel.te is in domains/misc/unused, so is not
> called into play.  Correct? 

Well, kernel_t is actually an alias for init_t in targeted policy,
according to apol.  The kernel starts out as unconfined_t, in my reading
of initial_sid_contexts:

sid kernel      user_u:system_r:unconfined_t

Thus there is no transition at all in targeted policy.



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux