-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2012 10:46 AM, Chris PeBenito wrote:
> On 1/14/2012 9:34 AM, Sven Vermeulen wrote:
>> On Sat, Jan 14, 2012 at 03:20:02PM +0100, Sven Vermeulen wrote:
>>> An initramfs' /init will run in the kernel_t domain (and
>>> unconfined until load_policy is called ?)
>>
>> Not unconfined, permissive.
>
> It will run in the kernel initial SID ("kernel") until a policy is
> loaded. Before the policy is loaded, it isn't permissive per se,
> as there is nothing to enforce. SELinux is disabled in the "no
> policy loaded" sense (as opposed to the kernel command line
> selinux=0, unregistered SELinux LSM sense). Once the policy is
> loaded, all of the labels will be set based on their initial SID;
> thus, the "kernel"-labeled processes get the kernel initial SID in
> the policy, kernel_t, and the initial enforcing/permissive state
> will be set based on the kernel command line enforcing= option,
> /etc/selinux/config, or kernel compiled-in default.
>
In RHEL and Fedora, we relabel the parts of /dev that are created in
the initramfs and restart udev so it is a child of init/systemd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8UOGIACgkQrlYvE4MpobMdlACgvXdEx/wUtQjYu57ZePozHjuB
UUoAn2a55fOXacNqJfn5bwxN2ADs41eD
=Obn1
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
