Re: init labeling question for targeted policy
On Wed, 2004-11-24 at 15:47 -0800, Karsten Wade wrote:
My question about the targeted policy presumes that init re-execs
itself
after loading the policy, whereby it picks up the unconfined_t domain
from the policy, as defined by a rule in
/etc/selinux/targeted/src/policy/domains/unconfined.te.
role system_r types unconfined_t;
This just authorizes a role for a type, it doesn't define anything
related to init.
What rule tells init to re-exec itself in the targeted policy?
Nothing in the policy tells init to re-exec itself; the code just does
it. Do you mean, how does init get the unconfined_t type? See:
In the strict policy there is an explicit transition rule for init.
The
file programs/misc/kernel.te has this rule:
domain_auto_trans(kernel_t, init_exec_t, init_t)
In the targeted policy, kernel.te is in domains/misc/unused, so is not
called into play. Correct?
Well, kernel_t is actually an alias for init_t in targeted policy,
according to apol. The kernel starts out as unconfined_t, in my reading
of initial_sid_contexts:
sid kernel user_u:system_r:unconfined_t
Thus there is no transition at all in targeted policy.