On Wed, 2006-08-02 at 00:19 +0200, Axel Thimm wrote: > On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote: > > It would if init were running in kernel_t too. But given that it is > > running in init_t, I don't understand how its descendants got back to > > kernel_t. Unless the transition to init_t happened after starting the > > descendants, e.g. you manually told init to re-exec via telinit. > > I didn't do so consiously. I rebooted the system and there is no > hotplug_t trace anymore in the processes. What I think I missed is the > reboot after the fixfiles command. But I don't understand how init > would go back and forth into different security contexts. I'd guess that init was told to re-exec via telinit u after you relabeled the filesystem, so that it finally transitioned to the right domain, but this didn't help already existing descendants of init that had been spawned while it was still kernel_t (i.e. when you first booted the system, /sbin/init had the wrong type, so init was left in kernel_t, then you relabeled, then something told it to re-exec). Performing an update of libselinux, glibc, or SysVinit would have done a telinit u, I think. > Anyway for me I'm happy that the system is in a normal selinux state > (I hope) and that I can start using selinux in real life (permissive > for now while learning). Good, glad it is working now. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list