On Wed, 2004-11-24 at 21:28, Colin Walters wrote: > On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote: > > My question about the targeted policy presumes that init re-execs itself > > after loading the policy, whereby it picks up the unconfined_t domain > > from the policy, as defined by a rule in > > /etc/selinux/targeted/src/policy/domains/unconfined.te. > > > > role system_r types unconfined_t; > > This just authorizes a role for a type, it doesn't define anything > related to init. I was looking for a blanket (default) rule that covered everything not covered by policy in domains/program/*.te. > > What rule tells init to re-exec itself in the targeted policy? > > Nothing in the policy tells init to re-exec itself; the code just does > it. I got started down this pathway from this paragraph in Russell's article: from http://www.redhat.com/magazine/001nov04/features/selinux/ "After the policy is loaded every running process (only init and kernel threads as the policy is loaded early in the boot) will be assigned the security context system_u:system_r:kernel_t (NB all kernel threads started at any time will get that context). Once init has loaded the policy it will re-exec itself. The policy contains the rule domain_auto_trans(kernel_t, init_exec_t, init_t). This means that when the kernel_t domain executes a file of type init_exec_t (for example, /sbin/init) then the domain will automatically transition to init_t (the correct domain for /sbin/init). After that init does its usual job and the system boots. The kernel threads continue running as kernel_t." This doesn't describe the targeted policy, I get that. I found the domain_auto_trans in kernel.te and found kernel.te in domains/misc/unused in the targeted sources, so I drew the conclusion that the behavior of init is as Russell says but the way it gets it's context is different. > Do you mean, how does init get the unconfined_t type? See: [snip ref. to initial_sid_contexts] This was a part of my question > > > In the strict policy there is an explicit transition rule for init. The > > file programs/misc/kernel.te has this rule: > > > > domain_auto_trans(kernel_t, init_exec_t, init_t) > > > > In the targeted policy, kernel.te is in domains/misc/unused, so is not > > called into play. Correct? > > Well, kernel_t is actually an alias for init_t in targeted policy, > according to apol. >From domains/unconfined.te: typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; Obviously I need to commit a little more time with apol. :) > The kernel starts out as unconfined_t, in my reading > of initial_sid_contexts: > > sid kernel user_u:system_r:unconfined_t > > Thus there is no transition at all in targeted policy. init is started with the unconfined_t context? Was this behavior that changed between FC2 and FC3, or am I missing something fundamental here? thx - Karsten -- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
