SELinux plays an important role during the early stages of system start-up. Because all processes must be labeled with their correct domain,
init performs some essential operations early in the boot process to maintain synchronization between labeling and policy enforcement.
After the kernel has been loaded during the boot process, the initial process is assigned the predefined initial SELinux ID (initial SID) kernel
. Initial SID
s are used for bootstrapping before the policy is loaded.
/proc/, and then searches for the
selinuxfs file system type. If it is present, that means SELinux is enabled in the kernel.
init does not find SELinux in the kernel, or if it is disabled via the
selinux=0 boot parameter, or if
/etc/selinux/config specifies that
SELINUX=disabled, the boot process proceeds with a non-SELinux system.
At the same time,
init sets the enforcing status if it is different from the setting in
/etc/selinux/config. This happens when a parameter is passed during the boot process, such as
enforcing=1. The kernel does not enforce any policy until the initial policy is loaded.
If SELinux is present,
/selinux/ is mounted.
/selinux/policyvers for the supported policy version. The version number in
/selinux/policyvers is the latest policy version your kernel supports.
/etc/selinux/config to determine which policy is active, such as the targeted policy, and loads the associated file at
If the binary policy is not the version supported by the kernel,
init attempts to load the policy file if it is a previous version. This provides backward compatibility with older policy versions.
If the local settings in
/etc/selinux/targeted/booleans are different from those compiled in the policy,
init modifies the policy in memory based on the local settings prior to loading the policy into the kernel.
By this stage of the process, the policy is fully loaded into the kernel. The initial SIDs are then mapped to security contexts in the policy. In the case of the targeted policy, the new domain is user_u:system_r:unconfined_t. The kernel can now begin to retrieve security contexts dynamically from the in-kernel security server.
init then re-executes itself so that it can transition to a different domain, if the policy defines it. For the targeted policy, there is no transition defined and
init remains in the
At this point,
init continues with its normal boot process.
The reason that
init re-executes itself is to accommodate stricter SELinux policy controls. The objective of re-execution is to transition to a new domain with its own granular rules. The only way that a process can enter a domain is during execution, which means that such processes are the only entry points
into the domains.
For example, if the policy has a specific domain for
, such as
, a method is required to change from the initial SID
, such as kernel
, to the correct runtime domain for
. Because this transition may need to occur,
is coded to re-execute itself after loading the policy.
init transition occurs if the
domain_auto_trans(kernel_t, init_exec_t, <target_domain_t>) rule is present in the policy. This rule states that an automatic transition occurs on anything executing in the
kernel_t domain that executes a file of type init_exec_t. When this execution occurs, the new process is assigned the domain
<target_domain_t>, using an actual target domain such as