Chapter 2. SELinux Policy Overview
7
*_context*
and
default_type
  various contexts used by applications, such as the
userhelper_context
used by
userhelper
.
files/*
  the file
file_contexts
contains the default contexts for the whole file system.
This is what
restorecon
references when relabeling. The file
media
contains the default con 
texts for media devices such as the CD ROM and floppy disk.
users/*
  in the targeted policy, only the file
root
is in this directory. These files are used for
determining context on login, which is
system_r:unconfined_t
for root.
  booleans
  this is where the runtime Booleans are configured. This is the canonical configuration
file when Boolean values are changed.
To help applications that need the various SELinux paths,
libselinux
has a number of functions
that return the paths to the different configuration files and directories. This keeps applications from
having to hard code the paths, especially since the active policy location is dependent on the setting
in
/etc/selinux/config
. The list of functions is available from the manual page which you can
view with the command
man 3 selinux_binary_policy_path
.
2.3. Policy Role in Boot
SELinux plays an important role early in system start up. Since all of the processes must be labeled
with their proper domain,
init
does some essential actions early in the boot process that keep labeling
and policy enforcement in sync.
1. After the kernel has been loaded during boot, the initial process is assigned the predefined initial
SID
kernel
. Initial SIDs are used for bootstrapping before the policy is loaded.
2.
/sbin/init
mounts
/proc/
, then looks for the
selinuxfs
file system type. If it is present, that
means SELinux is enabled in the kernel.
3. If
init
does not find SELinux in the kernel, finds it is disabled via the selinux=0 boot pa 
rameter, or if
/etc/selinux/config
specifies that
SELINUX=disabled
, boot proceeds with a
non SELinux system.
At the same time,
init
sets the enforcing status if it is different from the setting in
/etc/selinux/config
. This happens when a parameter is passed during boot. The default
mode is permissive until the policy is loaded, then enforcement is set by the configuration file or
by the parameters enforcing=0 or enforcing=1.
4. If SELinux is present,
/selinux/
is mounted.
5. The kernel checks
/selinux/policyvers
for the supported policy version.
init
looks into
/etc/selinux/config
to see which policy is active, such as the targeted policy, and loads the
associated file at
$SELINUX_POLICY/policy. version
.
If the binary policy is not the version supported by the kernel,
init
attempts to load the policy
file if it is a previous version. This provides backward compatibility with older policy versions.
If the local settings in
/etc/selinux/targeted/booleans
are different from those compiled
in the policy,
init
modifies the policy in memory based on the local settings prior to loading the
policy into the kernel.
6. Now that the policy is loaded, the initial SIDs are mapped to security contexts in the policy, as
defined in
$SELINUX_SRC/initial_sid_contexts
. In the case of the targeted policy, the new
domain is
user_u:system_r:unconfined_t
. The kernel can now begin to get security contexts
dynamically from the in kernel security server.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved