On Mon, 2004-11-29 at 06:28, Stephen Smalley wrote:
On Wed, 2004-11-24 at 18:47, Karsten Wade wrote:
> Which one of these paths, if any, is leading in the right direction?
There are a set of predefined SIDs (called initial SIDs) used for
bootstrapping prior to initial policy load. When SELinux first
initializes (during kernel initialization, well before policy load), the
kernel assigns the initial task the "kernel" initial SID. Later, when
the policy is loaded, the initial SIDs are mapped to security contexts
in the policy via the initial_sid_contexts configuration, and the kernel
can begin to get SIDs dynamically from the security server. In the
strict policy, the "kernel" initial SID maps to kernel_t, and the policy
defines a transition from kernel_t to init_t upon execution of
init_exec_t, so when /sbin/init re-executes itself after loading policy,
it transitions to init_t. In the targeted policy, the "kernel" initial
SID maps to unconfined_t, and there is no transition defined in the
targeted policy upon executing init_exec_t, so /sbin/init remains in
unconfined_t even after the re-exec.
Excellent, thank you, that makes perfect sense.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41