On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote: > My question about the targeted policy presumes that init re-execs itself > after loading the policy, whereby it picks up the unconfined_t domain > from the policy, as defined by a rule in > /etc/selinux/targeted/src/policy/domains/unconfined.te. > > role system_r types unconfined_t; This just authorizes a role for a type, it doesn't define anything related to init. > What rule tells init to re-exec itself in the targeted policy? Nothing in the policy tells init to re-exec itself; the code just does it. Do you mean, how does init get the unconfined_t type? See: > In the strict policy there is an explicit transition rule for init. The > file programs/misc/kernel.te has this rule: > > domain_auto_trans(kernel_t, init_exec_t, init_t) > > In the targeted policy, kernel.te is in domains/misc/unused, so is not > called into play. Correct? Well, kernel_t is actually an alias for init_t in targeted policy, according to apol. The kernel starts out as unconfined_t, in my reading of initial_sid_contexts: sid kernel user_u:system_r:unconfined_t Thus there is no transition at all in targeted policy.
