On Sun, Jul 19, 2020 at 5:45 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. > > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> > --- > diff --git a/src/objects.md b/src/objects.md > index 58664ef..d27f881 100644 > --- a/src/objects.md > +++ b/src/objects.md > + policy's approval of course) using the **libselinux** API > + functions. The `process setfscreate` access vector can be used to process setfscreate is a permission. An access vector is a set of permissions. The access vector definitions in the policy specify the set of permissions associated with each class. > @@ -269,6 +275,23 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the policy's I don't think you originated this language but technically it should be "can assign a new label" or "specify a particular label" or similar, not "enforce a new label". > +The `kernel` **initial security identifier** is used to associate > +specified a label with subjects that were left unlabeled due to > +system initialization, for example kernel threads. The kernel SID is used for kernel objects, including kernel threads (both those that are created during initialization but also kernel threads created later), kernel-private sockets, synthetic objects representing kernel resources (e.g. the "system" class), etc. It is true that processes created prior to initial policy load will also be in the kernel SID until/unless there is a policy loaded and either a policy-defined transition or an explicit setcon or setexeccon+execve, but that's just the typical default inheritance from creating task behavior for processes. > + > +The `unlabeled` **initial security identifier** is used > +to associate a specified label with subjects that had their label > +invalidated due to policy changes at runtime. It is also assigned as the initial state for various objects e.g. inodes, superblocks, etc until they reach a point where a more specific label can be determined e.g. from an xattr or from policy. The context associated with the unlabeled SID is used as the fallback context for both subjects and objects when their label is invalidated by a policy reload (their SID is unchanged but the SID is transparently remapped to the unlabeled context).
