When the new kernel is first booted on a vanilla Linux system, all files are initially labeled with the security context associated with the file initial SID. Since the entry point executables are not labeled yet, appropriate domain transitions do not occur. Since all files are labeled with a single type, the permissions defined in the standard TE configuration are inadequate.
Consequently, a set of extensions to the standard policy configuration are defined for the initial boot and relabeling of file systems. The extended policy configuration is referred to as the initial policy. After booting with the initial policy, file systems are relabeled in accordance with the file contexts configuration and the standard policy is installed. The system is then rebooted for operational use.
The extensions to the policy configuration are contained in the init.te file. This file defines a new initial_boot_t domain. The init_t domain transitions to this domain when it executes any file. All system processes run in this domain during the initial boot. This domain is granted extensive permissions so that all system processes can perform their tasks before or after the relabeling. This domain can transition to the sysadm_t domain so that a user can login as the administrator. The user can then relabel file systems, install the standard policy, and reboot.
In addition to defining the new domain, this file extends the kernel_t, init_t, kmod_t, and sysadm_t domains so that they can function properly during the initial boot and relabeling. It also extends the initrc_t domain so that it can handle the reboot.