On Tue, Jul 21, 2020 at 4:03 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
>
> Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively.
>
> Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
> ---
> diff --git a/src/objects.md b/src/objects.md
> index 58664ef..1907316 100644
> --- a/src/objects.md
> +++ b/src/objects.md
> @@ -269,6 +275,39 @@ and manage their transition:
> +The `kernel` **initial security identifier** is used to associate
> +a specified label with kernel objects, including kernel threads
> +(both those that are created during initialization but also kernel
> +threads created later), kernel-private sockets, synthetic objects
^^and^^
> +representing kernel resources (e.g. the "system" class).
> +
> +It is true that processes created prior to initial policy load will
> +also be in the kernel SID until/unless there is a policy loaded and
> +either a policy-defined transition or an explicit setcon or
> +setexeccon+execve, but that's just the typical default inheritance
> +from creating task behavior for processes.
> +
> +The `unlabeled` **initial security identifier** is used
> +to associate a specified label with subjects that had their label
> +invalidated due to policy changes at runtime.
> +
> +It is also assigned as the initial state for various objects e.g.
> +inodes, superblocks, etc until they reach a point where a more
> +specific label can be determined e.g. from an xattr or from policy.
> +The context associated with the unlabeled SID is used as the fallback
> +context for both subjects and objects when their label is invalidated
> +by a policy reload (their SID is unchanged but the SID is
> +transparently remapped to the unlabeled context).
There is some redundancy between the last sentence of the last
paragraph above and the preceding paragraph; the last sentence notes
that it is used for both subject and objects (not just subjects as in
the preceding paragraph) and that it is technically the context
associated with the unlabeled SID that is used for invalidated SIDs,
not the SID itself. The unlabeled SID itself is used as per the 1st
sentence of the last paragraph above.
