On 7/17/20 3:36 AM, Paul Moore wrote: > On Thu, Jul 16, 2020 at 8:18 AM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. >> <snip> > The same holds true > for the "kernel" isid as a subject label, in cases where you see the > "kernel" isid as a subject, it is actually the kernel acting on > something. > Thanks In my experience, processes other than kernel threads can end up associated with the kernel sid. One notable example is plymouthd which is run from the initramfs and will still be there for a short while after systemd/init loads policy. But AFAIK any process that is started from the initramfs and that persists after policy is loaded essentially ends up with the kernel isid. So even though practically it is generally the kernel threads that remain visibly associated with kernel sid to the naked eye, In actuality it in my experience boils down to "subjects that were left unlabeled due to system initialization", whether its the kernel or some long running process started before SELinux was initializaed.
