On Wed, 2004-11-24 at 18:47, Karsten Wade wrote: > Which one of these paths, if any, is leading in the right direction? There are a set of predefined SIDs (called initial SIDs) used for bootstrapping prior to initial policy load. When SELinux first initializes (during kernel initialization, well before policy load), the kernel assigns the initial task the "kernel" initial SID. Later, when the policy is loaded, the initial SIDs are mapped to security contexts in the policy via the initial_sid_contexts configuration, and the kernel can begin to get SIDs dynamically from the security server. In the strict policy, the "kernel" initial SID maps to kernel_t, and the policy defines a transition from kernel_t to init_t upon execution of init_exec_t, so when /sbin/init re-executes itself after loading policy, it transitions to init_t. In the targeted policy, the "kernel" initial SID maps to unconfined_t, and there is no transition defined in the targeted policy upon executing init_exec_t, so /sbin/init remains in unconfined_t even after the re-exec. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
