learning about policies/transitions

learning about policies/transitions

[Serge Hallyn]

[-- Attachment #1: Type: text/plain, Size: 1156 bytes --]

Hi,

I've been trying (on and off for some time) to get a very simple
test policy working on a FC2 selinux system.  I just want it to have
the following types:

boot_d:   default domain
login_d:  domain automatically entered by /bin/login
user_d:   domain voluntarily entered by login_d
obj_t:    type for all fs objects
login_et: type for /bin/login

The policy files are attached.  I did
       checkpolicy -o basic.bin basic.pol
       cp basic.bin /etc/security/selinux/policy.17
       (boot with selinux=0)
       setfiles basic.ctx /

Doing these same steps with /etc/security/selinux/src/policy/policy.conf
and /etc/security/selinux/src/policy/file_contexts/file_contexts
results in a working selinux system.

With my basic policy, though, boot_d will not transition to login_d
on execution of /bin/login.  ls -Z /bin/login shows that it is labeled
as login_et.  Since logging in doesn't work, I test by booting single
user mode, and running

ps -Z
[everything is running under boot_d]
/bin/login & ps -Z
[login is running under boot_d]

What am I missing in the policy that would enable this automatic
domain transition to happen?

thanks,
-serge

[-- Attachment #2: basic.pol --]
[-- Type: application/octet-stream, Size: 10411 bytes --]

#SELinux Policy:
#Modules applied: basic
#Security Object classes

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

#
# userspace object manager classes
#

# passwd/chfn/chsh
class passwd

# SE-X Windows stuff
class drawable
class window
class gc
class font
class colormap
class property
class cursor
class xclient
class xinput
class xserver
class xextension

#Initial sids

# FLASK
#line 1 "flask/initial_sids"
# FLASK

#
# Define initial security identifiers
#

sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull

#Access vectors

common file
{
       ioctl
       read
       write
       create
       getattr
       setattr
       lock
       relabelfrom
       relabelto
       append
       unlink
       link
       rename
       execute
       swapon
       quotaon
       mounton
}

common socket
{
# inherited from file
       ioctl
       read
       write
       create
       getattr
       setattr
       lock
       relabelfrom
       relabelto
       append
# socket-specific
       bind
       connect
       listen
       accept
       getopt
       setopt
       shutdown
       recvfrom
       sendto
       recv_msg
       send_msg
       name_bind
}

common ipc
{
       create
       destroy
       getattr
       setattr
       read
       write
       associate
       unix_read
       unix_write
}

class filesystem
{
       mount
       remount
       unmount
       getattr
       relabelfrom
       relabelto
       transition
       associate
       quotamod
       quotaget
}

class dir
inherits file
{
       add_name
       remove_name
       reparent
       search
       rmdir
}

class file
inherits file
{
       execute_no_trans
       entrypoint
}

class lnk_file
inherits file

class chr_file
inherits file

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class fd
{
       use
}

class socket
inherits socket

class tcp_socket
inherits socket
{
       connectto
       newconn
       acceptfrom
       node_bind
}

class udp_socket
inherits socket
{
       node_bind
}

class rawip_socket
inherits socket
{
       node_bind
}

class node
{
       tcp_recv
       tcp_send
       udp_recv
       udp_send
       rawip_recv
       rawip_send
       enforce_dest
}

class netif
{
       tcp_recv
       tcp_send
       udp_recv
       udp_send
       rawip_recv
       rawip_send
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
       connectto
       newconn
       acceptfrom
}

class unix_dgram_socket
inherits socket
class process
{
       fork
       transition
       sigchld # commonly granted from child to parent
       sigkill # cannot be caught or ignored
       sigstop # cannot be caught or ignored
       signull # for kill(pid, 0)
       signal  # all other signals
       ptrace
       getsched
       setsched
       getsession
       getpgid
       setpgid
       getcap
       setcap
       share
       getattr
       setexec
       setfscreate
       noatsecure
       siginh
       setrlimit
       rlimitinh
}

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
       enqueue
}

class msg
{
       send
       receive
}

class shm
inherits ipc
{
       lock
}

class security
{
       compute_av
       compute_create
       compute_member
       check_context
       load_policy
       compute_relabel
       compute_user
       setenforce     # was avc_toggle in system class
       setbool
}

#
# Define the access vector interpretation for system operations.
#

class system
{
       ipc_info
       syslog_read
       syslog_mod
       syslog_console
}

class capability
{
       # The capabilities are defined in include/linux/capability.h
       # Care should be taken to ensure that these are consistent with
       # those definitions. (Order matters)

       chown
       dac_override
       dac_read_search
       fowner
       fsetid
       kill
       setgid
       setuid
       setpcap
       linux_immutable
       net_bind_service
       net_broadcast
       net_admin
       net_raw
       ipc_lock
       ipc_owner
       sys_module
       sys_rawio
       sys_chroot
       sys_ptrace
       sys_pacct
       sys_admin
       sys_boot
       sys_nice
       sys_resource
       sys_time
       sys_tty_config
       mknod
       lease
}

class passwd
{
       passwd
       chfn
       chsh
       rootok
}

class drawable
{
       create
       destroy
       draw
       copy
       getattr
}

class gc
{
       create
       free
       getattr
       setattr
}

class window
{
       addchild
       create
       destroy
       map
       unmap
       chstack
       chproplist
       chprop
       listprop
       getattr
       setattr
       setfocus
       move
       chselection
       chparent
       ctrllife
       enumerate
       transparent
       mousemotion
       clientcomevent
       inputevent
       drawevent
       windowchangeevent
       windowchangerequest
       serverchangeevent
       extensionevent
}

class font
{
       load
       free
       getattr
       use
}

class colormap
{
       create
       free
       install
       uninstall
       list
       read
       store
       getattr
       setattr
}

class property
{
       create
       free
       read
       write
}

class cursor
{
       create
       createglyph
       free
       assign
       setattr
}

class xclient
{
       kill
}

class xinput
{
       lookup
       getattr
       setattr
       setfocus
       warppointer
       activegrab
       passivegrab
       ungrab
       bell
       mousemotion
       relabelinput
}

class xserver
{
       screensaver
       gethostlist
       sethostlist
       getfontpath
       setfontpath
       getattr
       grab
       ungrab
}

class xextension
{
       query
       use
}

type obj_t;
type secret_t;
type login_et;
type shell_t;
type boot_d;
type login_d;
type user_d;
role system_r types obj_t;
role system_r types secret_t;
role system_r types login_et;
role system_r types shell_t;
role system_r types boot_d;
role system_r types login_d;
role system_r types user_d;

allow boot_d login_et:file { read execute getattr };
allow boot_d login_et:fd use ;
allow user_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow user_d obj_t:passwd { passwd chsh rootok chfn };

allow boot_d shell_t:file { read execute getattr };
allow user_d secret_t:file { append create entrypoint getattr relabelfrom ioctl link lock mounton rename quotaon swapon setattr read unlink relabelto write execute_no_trans execute };
allow boot_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow boot_d obj_t:passwd { passwd chsh rootok chfn };
allow login_d shell_t:file { read execute getattr };
allow user_d shell_t:file { read execute getattr };
allow user_d login_et:file { read execute getattr };
allow login_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow login_d obj_t:passwd { passwd chsh rootok chfn };
allow login_d login_et:file { read execute getattr };
allow login_d login_et:file entrypoint;
allow login_d login_et:fd use;
allow login_d obj_t:file { read execute getattr };
allow login_d obj_t:dir { read getattr lock search ioctl };
allow boot_d obj_t:dir { read getattr lock search ioctl };
allow login_d obj_t:fd use;
allow user_d shell_t:file entrypoint;
allow boot_d login_d:process transition;
type_transition boot_d login_et:process login_d;
allow login_d user_d:process transition;
#Initial sid contexts

user system_u roles system_r;

sid kernel system_u:system_r:boot_d
sid security system_u:system_r:obj_t
sid unlabeled system_u:system_r:obj_t
sid fs system_u:system_r:obj_t
sid file system_u:system_r:obj_t
sid file_labels system_u:system_r:obj_t
sid init system_u:system_r:obj_t
sid any_socket system_u:system_r:obj_t
sid port system_u:system_r:obj_t
sid netif system_u:system_r:obj_t
sid netmsg system_u:system_r:obj_t
sid node system_u:system_r:obj_t
sid igmp_packet system_u:system_r:obj_t
sid icmp_socket system_u:system_r:obj_t
sid tcp_socket system_u:system_r:obj_t
sid sysctl_modprobe system_u:system_r:obj_t
sid sysctl system_u:system_r:obj_t
sid sysctl_fs system_u:system_r:obj_t
sid sysctl_kernel system_u:system_r:obj_t
sid sysctl_net system_u:system_r:obj_t
sid sysctl_net_unix system_u:system_r:obj_t
sid sysctl_vm system_u:system_r:obj_t
sid sysctl_dev system_u:system_r:obj_t
sid kmod system_u:system_r:obj_t
sid policy system_u:system_r:obj_t
sid scmp_packet system_u:system_r:obj_t
sid devnull system_u:system_r:obj_t

fs_use_xattr ext2 system_u:system_r:obj_t;

#non-xattr, non-persistant filesystems

genfscon proc / system_u:system_r:obj_t
genfscon sysfs / system_u:system_r:obj_t
genfscon selinuxfs / system_u:system_r:obj_t

[-- Attachment #3: basic.ctx --]
[-- Type: application/octet-stream, Size: 244 bytes --]

/bin/login system_u:system_r:login_et
/bin/sh system_u:system_r:shell_t
/bin/csh system_u:system_r:shell_t
/bin/tcsh system_u:system_r:shell_t
/secret_file system_u:system_r:secret_t
/ system_u:system_r:obj_t
/.+ system_u:system_r:obj_t

Re: learning about policies/transitions

[Stephen Smalley]

On Wed, 2004-11-03 at 11:45, Serge Hallyn wrote:
> With my basic policy, though, boot_d will not transition to login_d
> on execution of /bin/login.  ls -Z /bin/login shows that it is labeled
> as login_et.  Since logging in doesn't work, I test by booting single
> user mode, and running
> 
> ps -Z
> [everything is running under boot_d]
> /bin/login & ps -Z
> [login is running under boot_d]
> 
> What am I missing in the policy that would enable this automatic
> domain transition to happen?

Your policy looks sufficient for that purpose, although there are some
oddities in it (e.g. you shouldn't be authorizing system_r for object
types, you should be using object_r in file contexts, a file descriptor
is not labeled with a file type).  A possible explanation would be an
inconsistency between the on-disk xattr and the incore inode SID, e.g.
type wasn't defined at the time that the inode was attached to a
dentry.  Try setfilecon system_u:object_r:login_et /bin/login and then
re-trying.  setfiles and chcon tend to not bother setting the context if
it already appears to be correct, but they only can see the on-disk
xattr via the xattr API, not the incore inode context. 

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Serge Hallyn]

Ah, running setfilecon worked.

I don't understand why, though.  The security.selinux xattr (as given by 
getxattr(2)) looked the same before and after.  What else is being changed
by setfilecon?

Thanks!
-serge

> Your policy looks sufficient for that purpose, although there are some
> oddities in it (e.g. you shouldn't be authorizing system_r for object
> types, you should be using object_r in file contexts, a file descriptor
> is not labeled with a file type).  A possible explanation would be an
> inconsistency between the on-disk xattr and the incore inode SID, e.g.
> type wasn't defined at the time that the inode was attached to a
> dentry.  Try setfilecon system_u:object_r:login_et /bin/login and then
> re-trying.  setfiles and chcon tend to not bother setting the context if
> it already appears to be correct, but they only can see the on-disk
> xattr via the xattr API, not the incore inode context.
> 
> --
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Stephen Smalley]

On Thu, 2004-11-04 at 11:20, Serge Hallyn wrote:
> Ah, running setfilecon worked.
> 
> I don't understand why, though.  The security.selinux xattr (as given by 
> getxattr(2)) looked the same before and after.  What else is being changed
> by setfilecon?

The incore inode SID.  setfilecon(1) unconditionally calls
setfilecon(3), which invokes setxattr(2), which will invoke the
post_setxattr hook and update the incore inode SID.  setfiles and/or
chcon would have just looked at the existing on-disk xattr value (via
getfilecon(3)->getxattr(2)), seen that the on-disk xattr was already
correct, and not bothered to call setfilecon(3), so the incore inode SID
wasn't being updated by those programs.  I think RedHat is/has added an
option to chcon(1) to force the call to setfilecon(3) regardless of its
current value.  Perhaps setfiles(1) should unconditionally call
setfilecon(3) too.

This is an unfortunate side effect of using the xattr API (vs. the
original SELinux API, which directly fetched the incore inode SID and
returned it to the caller), because the xattr API always consults the
filesystem and reports the on-disk xattr.  SELinux maps the on-disk
xattr to a SID at the time of d_instantiate, but if the on-disk xattr is
invalid at that time (e.g. type isn't defined in the policy), then the
inode SID is left unlabeled and it requires an explicit setxattr(2) to
correct.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Serge Hallyn]

Addendum:  running setfilecon works once.  After each reboot, I must again run
setfilecon.before /bin/login will cause the transition to login_d. 
Again, running
/bin/ls -Z /bin/login shows no difference before and after the
setifilecon - it is always
of type login_et.

At this point, I suppose I should just switch to the latest fedora deverlopment
release and see whether this problem magically resolves itself.  If
not, I guess some
debug info at d_instantiate will be order.

thanks,
-serge

On Thu, 04 Nov 2004 12:11:06 -0500, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Thu, 2004-11-04 at 11:20, Serge Hallyn wrote:
> > Ah, running setfilecon worked.
> >
> > I don't understand why, though.  The security.selinux xattr (as given by
> > getxattr(2)) looked the same before and after.  What else is being changed
> > by setfilecon?
> 
> The incore inode SID.  setfilecon(1) unconditionally calls
> setfilecon(3), which invokes setxattr(2), which will invoke the
> post_setxattr hook and update the incore inode SID.  setfiles and/or
> chcon would have just looked at the existing on-disk xattr value (via
> getfilecon(3)->getxattr(2)), seen that the on-disk xattr was already
> correct, and not bothered to call setfilecon(3), so the incore inode SID
> wasn't being updated by those programs.  I think RedHat is/has added an
> option to chcon(1) to force the call to setfilecon(3) regardless of its
> current value.  Perhaps setfiles(1) should unconditionally call
> setfilecon(3) too.
> 
> This is an unfortunate side effect of using the xattr API (vs. the
> original SELinux API, which directly fetched the incore inode SID and
> returned it to the caller), because the xattr API always consults the
> filesystem and reports the on-disk xattr.  SELinux maps the on-disk
> xattr to a SID at the time of d_instantiate, but if the on-disk xattr is
> invalid at that time (e.g. type isn't defined in the policy), then the
> inode SID is left unlabeled and it requires an explicit setxattr(2) to
> correct.
> 
> --
> 
> 
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Stephen Smalley]

On Thu, 2004-11-04 at 21:23, Serge Hallyn wrote:
> Addendum:  running setfilecon works once.  After each reboot, I must again run
> setfilecon.before /bin/login will cause the transition to login_d. 
> Again, running
> /bin/ls -Z /bin/login shows no difference before and after the
> setifilecon - it is always
> of type login_et.

Two scenarios:
1) At boot time (e.g. usual policy load by /sbin/init), you are loading
a policy that does not define login_et, /bin/login inode is brought
incore and mapped to the unlabeled SID, and you then load a policy that
does define login_et, but this doesn't automatically fix the incore
inode SID.
2) At boot time, you are loading a policy that does define login_et,
/bin/login inode is brought incore and mapped to the correct SID, you
then load a policy that does not define login_et (e.g. Fedora policy),
invalidating that SID, and you later reload a policy that does define
login_et, but this doesn't automatically fix the incore inode SID.

While it would be possible to walk the inode lists upon a policy reload
and retry mapping of the on-disk xattr for any inode with the unlabeled
SID, I'm not sure it is worthwhile to do so.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Serge Hallyn]

Thanks for your help, Stephen.  I've *briefly* looked around at the
inird and /bin/init sources, and can't find an initiial policy that
would be loaded before the root filesystem pivot_root.  I expect to
have more time at the end of this week to figure it out, though.

thanks,
-serge

On Fri, 05 Nov 2004 07:26:15 -0500, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Thu, 2004-11-04 at 21:23, Serge Hallyn wrote:
> > Addendum:  running setfilecon works once.  After each reboot, I must again run
> > setfilecon.before /bin/login will cause the transition to login_d.
> > Again, running
> > /bin/ls -Z /bin/login shows no difference before and after the
> > setifilecon - it is always
> > of type login_et.
> 
> Two scenarios:
> 1) At boot time (e.g. usual policy load by /sbin/init), you are loading
> a policy that does not define login_et, /bin/login inode is brought
> incore and mapped to the unlabeled SID, and you then load a policy that
> does define login_et, but this doesn't automatically fix the incore
> inode SID.
> 2) At boot time, you are loading a policy that does define login_et,
> /bin/login inode is brought incore and mapped to the correct SID, you
> then load a policy that does not define login_et (e.g. Fedora policy),
> invalidating that SID, and you later reload a policy that does define
> login_et, but this doesn't automatically fix the incore inode SID.
> 
> While it would be possible to walk the inode lists upon a policy reload
> and retry mapping of the on-disk xattr for any inode with the unlabeled
> SID, I'm not sure it is worthwhile to do so.
> 
> --
> 
> 
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Stephen Smalley]

On Mon, 2004-11-15 at 11:12, Serge Hallyn wrote:
> Thanks for your help, Stephen.  I've *briefly* looked around at the
> inird and /bin/init sources, and can't find an initiial policy that
> would be loaded before the root filesystem pivot_root.  I expect to
> have more time at the end of this week to figure it out, though.

In Fedora, policy is loaded from the real root filesystem by /sbin/init,
not from the initrd.  We did use an initrd originally when we first
overhauled SELinux for mainline inclusion and moved the initial policy
load into userspace, but RedHat encountered practical issues with using
an initrd and migrated to a patched /sbin/init.  So /sbin/init is
loading policy from /etc/security/selinux/policy.NN under FC2 or
/etc/selinux/(strict|targeted)/policy/policy.NN under FC3.  The question
is whether you are subsequently loading a different policy, possibly too
late, after /bin/login has already been looked up and brought incore.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Serge Hallyn]

On Mon, 15 Nov 2004 11:38:33 -0500, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> /etc/selinux/(strict|targeted)/policy/policy.NN under FC3.  The question
> is whether you are subsequently loading a different policy, possibly too
> late, after /bin/login has already been looked up and brought incore.

Alas no, the custom policy is in /etc/security/selinux/policy.17 (on a
FC2 throwaway partition).

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Stephen Smalley]

On Mon, 2004-11-15 at 12:07, Serge Hallyn wrote:
> On Mon, 15 Nov 2004 11:38:33 -0500, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > /etc/selinux/(strict|targeted)/policy/policy.NN under FC3.  The question
> > is whether you are subsequently loading a different policy, possibly too
> > late, after /bin/login has already been looked up and brought incore.
> 
> Alas no, the custom policy is in /etc/security/selinux/policy.17 (on a
> FC2 throwaway partition).

Not sure if I understand your meaning (FC2 throwaway partition?), but
the above statement makes me wonder if you also have an
/etc/security/selinux/policy.18 file, and whether /sbin/init is loading
it instead.  FC2 shipped with policy.17, then subsequent FC2 kernel
updates yielded kernels that understood policy.18 (but still support
policy.17 for backward compatibility) without corresponding updates to
the policy tools and policy itself.  /sbin/init will try to load the
latest policy supported by the kernel, so if you have a policy.18, it
will try to load it first, and failing that, it will fall back to
policy.17.  But you shouldn't have a policy.18 unless you grabbed a
newer checkpolicy yourself from the NSA site or from the Fedora
development tree.

In any event, migrating to FC3 is a good idea for continued use of
SELinux, as the FC2 SELinux support was never well maintained.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Serge Hallyn]

On Mon, 15 Nov 2004 12:28:28 -0500, Stephen Smalley <sds@epoch.ncsc.mil> wrote:

> Not sure if I understand your meaning (FC2 throwaway partition?), but

Just that it's purely a test partition, which is why I haven't yet
upgraded it.  But of course that also means there's no reason not to
upgrade it.

> In any event, migrating to FC3 is a good idea for continued use of
> SELinux, as the FC2 SELinux support was never well maintained.

I'll try FC3.

thanks,
-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: learning about policies/transitions

[Russell Coker]

On Tuesday 16 November 2004 03:12, Serge Hallyn <serge.hallyn@gmail.com> 
wrote:
> Thanks for your help, Stephen.  I've *briefly* looked around at the
> inird and /bin/init sources, and can't find an initiial policy that
> would be loaded before the root filesystem pivot_root.  I expect to

Only the initrd is running before pivot_root and the initrd does not load 
policy any more.  So there is no policy loaded until after the root file 
system is mounted as "/" and /sbin/init is executed.

/sbin/init loads the policy and then re-exec's itself to transition from 
kernel_t to init_t.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.