On Sep 27, 2016 00:00, "Weiyuan (David, Euler)" <[email protected]> wrote: > > "The rootfs is typically just unpacked from initramfs and all files within it are assigned a default label based on the genfscon statement" > > Do you mean Kernel lable rootfs with genfscon before init loading the sepolicy into kernel? > > > Could you please describe the details of the process that how does the rootfs be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as Nexus) ?
There is nothing happening with selinux until userspace mounts selinuxfs and loads the policy file. The initial sid, which is the initial label for an object, is encoded in the loaded policy along with the genfscon statements. Genfscon is used primarily for labeling filesystems that do not have xattr support. For filesystems that have xattr, if set, the sid encoded in the xattr security.selinux is used. The file_contexts file, file_contexts.bin as of late, is used by userspace services to.properly set the xattr label on filesystems. Namely init and ueventd use it. The basic boot sequence is: 1. Boot the kernel and exec init 2. Initialize selinux mount 3. Load the policy file 3. Restorecon /init 4. setenforce(1) unless non-user build and Android boot variable is set to permissive. 5. Exec init in the second stage 6. Init script calls restorecon /data and /sys to reset labels if fike_contexts changed (ie update). I'm recalling this off the top of my head, some of the ordering might be slightly off, but the concepts should be correct. You can verify by reading init.cpp in system/core/init for the userspace load sequence. To answer your question concisely, selinux isn't doing anything or labeling anything until the policy is loaded. > > > > Thanks. > > > -----邮件原件----- > 发件人: Stephen Smalley [mailto:[email protected]] > 发送时间: 2016年9月27日 0:43 > 收件人: Weiyuan (David, Euler); William Roberts > 抄送: [email protected] > 主题: Re: A question about booting process with SELinux. > > On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote: > > Dear All: > > > > I have a question that is when and how the root“/”and files in > > it are labeled? > > > > > > > > There are "/ u:object_r:rootfs:s0" in file_contexts, and "genfscon > > rootfs / u:object_r:rootfs:s0" in genfs_contexts. > > > > My understanding is, First, kernel will load the initial_sid_contexts > > before init process do the selinux_initialize(). > > > > Then when rootfs is mounted to “/”, kernel will label it with > > “u:object_r:labeledfs. > > > > And After init process do the selinux_initialize() to load sepolicy to > > kernel, there will be a restorecon to “/”. > > > > > > > > Am I right? If I am right, then when do this restorecon happen? > > restorecon is only needed for /data or other filesystems that are updated at runtime. The rootfs is typically just unpacked from initramfs and all files within it are assigned a default label based on the genfscon statement, unless using a real ext4 root filesystem partition (in which case the inode xattrs would be set when the filesystem image is generated, not when the system is booting). >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
