On 09/02/2014 10:38 PM, William Roberts wrote: > Was setcon added to the init language to address the inability to > label the ramdisk and thus do a dynamic domain transition from kernel > context to init context on exec of init? and/or Is it also because no > true exec happens?
The kernel does exec init (linux/init/main.c:run_init_process()), but as policy has not yet been loaded, there can be no automatic domain transition upon that exec. We could have performed the setcon() call directly from the init code rather than the init.rc, except that would have required hard-coding a security context in the init source code. It seemed preferable to keep it in the init.rc file instead. In modern Linux distributions, the systemd init program loads policy, gets the label of its executable file, asks the kernel for the resulting context via security_compute_create(), and calls setcon() with that context. It can do that since it is executed from the "real" root filesystem which supports labeling rather than the initramfs. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
