On Mon, 2004-11-29 at 06:28, Stephen Smalley wrote: > On Wed, 2004-11-24 at 18:47, Karsten Wade wrote: > > Which one of these paths, if any, is leading in the right direction? > > There are a set of predefined SIDs (called initial SIDs) used for > bootstrapping prior to initial policy load. When SELinux first > initializes (during kernel initialization, well before policy load), the > kernel assigns the initial task the "kernel" initial SID. Later, when > the policy is loaded, the initial SIDs are mapped to security contexts > in the policy via the initial_sid_contexts configuration, and the kernel > can begin to get SIDs dynamically from the security server. In the > strict policy, the "kernel" initial SID maps to kernel_t, and the policy > defines a transition from kernel_t to init_t upon execution of > init_exec_t, so when /sbin/init re-executes itself after loading policy, > it transitions to init_t. In the targeted policy, the "kernel" initial > SID maps to unconfined_t, and there is no transition defined in the > targeted policy upon executing init_exec_t, so /sbin/init remains in > unconfined_t even after the re-exec. Excellent, thank you, that makes perfect sense. - Karsten -- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
