"The rootfs is typically just unpacked from initramfs and all files within it are assigned a default label based on the genfscon statement"
Do you mean Kernel lable rootfs with genfscon before init loading the sepolicy into kernel? Could you please describe the details of the process that how does the rootfs be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as Nexus) ? Thanks. -----邮件原件----- 发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov] 发送时间: 2016年9月27日 0:43 收件人: Weiyuan (David, Euler); William Roberts 抄送: seandroid-list@tycho.nsa.gov 主题: Re: A question about booting process with SELinux. On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote: > Dear All: > > I have a question that is when and how the root“/”and files in > it are labeled? > > > > There are "/ u:object_r:rootfs:s0" in file_contexts, and "genfscon > rootfs / u:object_r:rootfs:s0" in genfs_contexts. > > My understanding is, First, kernel will load the initial_sid_contexts > before init process do the selinux_initialize(). > > Then when rootfs is mounted to “/”, kernel will label it with > “u:object_r:labeledfs. > > And After init process do the selinux_initialize() to load sepolicy to > kernel, there will be a restorecon to “/”. > > > > Am I right? If I am right, then when do this restorecon happen? restorecon is only needed for /data or other filesystems that are updated at runtime. The rootfs is typically just unpacked from initramfs and all files within it are assigned a default label based on the genfscon statement, unless using a real ext4 root filesystem partition (in which case the inode xattrs would be set when the filesystem image is generated, not when the system is booting). _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
