The Role Of Policy In The Boot Process - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Chapter 44. Security and SELinux
• /etc/selinux/targeted/contexts/files/ — contains the default contexts for the entire file
system. This is referenced by restorecon when perfoming relabeling operations.
• /etc/selinux/targeted/contexts/users/ — in the targeted policy, only the root file is in
this directory. These files are used for determining context when a user logs in. For example, for the
root user, the context is user_u:system_r:unconfined_t.
• /etc/selinux/targeted/modules/active/booleans* — this is where the runtime
Booleans are configured.
Note
These files should never be manually changed. You should use the getsebool,
setsebool and semanage tools to manipulate runtime Booleans.
44.7.2.2. Source Tree Files
For developing policy modules, the selinux-policy-devel package includes all of the interface
files used to build policy. It is recommended that people who build policy use these files to build the
policy modules.
This package installs the policy interface files under /usr/share/selinux/devel/include and
has make files installed in /usr/share/selinux/devel/Makefile.
To help applications that need the various SELinux paths, libselinux provides a number of
functions that return the paths to the different configuration files and directories. This negates the need
for applications to hard-code the paths, especially since the active policy location is dependent on the
SELINUXTYPE setting in /etc/selinux/config.
For example, if SELINUXTYPE is set to strict, the active policy location is under /etc/selinux/
strict.
To view the list of available functions, use the following command:
man 3 selinux_binary_policy_path
Note
This man page is available only if you have the libselinux-devel RPM installed.
The use of libselinux and related functions is outside the scope of this document.
44.7.3. The Role of Policy in the Boot Process
SELinux plays an important role during the early stages of system start-up. Because all processes
must be labeled with their correct domain, init performs some essential operations early in the boot
process to maintain synchronization between labeling and policy enforcement.
1.
After the kernel has been loaded during the boot process, the initial process is assigned the
predefined initial SELinux ID (initial SID) kernel. Initial SIDs are used for bootstrapping before the
policy is loaded.
744
Advertisement
Table of Contents
