On 9/10/19 7:04 AM, Srivatsa Vaddagiri wrote:
The more complicated scenario is tasks created before initial policy
load, because those may not be assigned the correct security context.
I think we may be interested in that case (tasks created before
initial policy load). Would those tasks' operations
fail when subsequently selinux policies are loaded and mode set to enforcing?
Tasks created before initial policy load will be running in the kernel
SID and hence once policy has loaded they will have the kernel context.
Thus, they can perform whatever actions are allowed to the kernel
context in the policy. In the case of the init process, it switches
from the kernel context into the init context by either re-exec'ing
itself after policy load or by dynamically setting its context via
setcon(3) after policy load.
