updated SELinux FAQ

Richard Hally rhally at mindspring.com
Sat May 8 22:47:35 UTC 2004


Bob Gustafson wrote:

> On Sat, 08 May 2004 00:34:02 -0400 Richard Hally wrote:
> 
>>Q: I have installed Fedora Core 2 without SELinux, what are the steps to
>> start using SELinux?
>>A:
> 
> 
> snip
> 
> 
>> 4. cd /etc/security/selinux/src/policy
>>    make load
>>	(to make sure the policy and file_contexts were built correctly)
>>    make relabel
>>	 (this will take a while, it accesses every file on the system)
> 
> 
> (I'm coming from the newbie user side, so hopefully my questions would
> qualify as FAQ questions?)
> 
> I added the following as a comment to your bugzilla entry.
> 
> ----------
> 
> I wonder if there is a configuration problem with the policy files.
> 
> In the /etc/security/selinux/src/policy/Makefile (mine at least), there
> is no mention of policy.17 as an output file, but I do have a policy.17
> file in that directory and in the /etc/security/selinux directories (see
> below).
> 
> Where are all of these things dropping from, and what is the source used
> in generating policy.15, policy.16, policy.17.
> 
> Also, what is the meaning of 'load' when applied to a policy file. And
> how can one determine what policy file is 'active'? (whatever that means)
> 
>   [root at hoho2 policy]# more /home/user1/policy.bug
> 
>   [root at hoho2 policy]# pwd
>   /etc/security/selinux/src/policy
> 
>   [root at hoho2 policy]# grep 15 Makefile
>         $(CHECKPOLICY) -c 15 -o $(INSTALLDIR)/policy.15 policy.conf
>   [root at hoho2 policy]# grep 16 Makefile
>         $(CHECKPOLICY) -c 16 -o $(INSTALLDIR)/policy.16 policy.conf
>   [root at hoho2 policy]# grep 17 Makefile
> 
>   [root at hoho2 policy]# ls -l ../..
>   total 21752
>   -rw-r--r--  1 root root   86912 May  5 23:30 file_contexts
>   -rw-r--r--  1 root root 7369029 May  5 23:30 policy.15
>   -rw-r--r--  1 root root 7370766 May  5 23:30 policy.16
>   -rw-r--r--  1 root root 7371078 May  5 23:29 policy.17
>   drwx------  3 root root    4096 Apr 28 21:04 src
> 
> 
>   [root at hoho2 policy]# ls -l ../../policy.17
>   -rw-r--r--  1 root root 7371078 May  5 23:29 ../../policy.17
>   [root at hoho2 policy]# ls -l policy.17
>   -rw-------  1 root root 7346892 Apr 28 21:04 policy.17
> 
> These are not the same files, both size and date differ.
> 
>   [root at hoho2 policy]# file policy.17
>   policy.17: SE Linux policy v17 6 symbols 7 ocons
>   [root at hoho2 policy]#
> 
> That is pretty nifty. Maybe having some sort of 'source stamp' would be
> a useful addition somewhere, not necessarily in the file text though.
> (But maybe)
> 
>   [root at hoho2 policy]# checkpolicy -h
>   checkpolicy: invalid option -- h
>   usage:  checkpolicy [-b] [-d] [-c policyvers (15-17)] [-o
>       output_file] [input_file]
>   [root at hoho2 policy]# checkpolicy -b policy.17
>   checkpolicy:  loading policy configuration from policy.17
>   security:  5 users, 7 roles, 1244 types, 1 bools
>   security:  30 classes, 301755 rules
>   checkpolicy:  policy configuration loaded
>   [root at hoho2 policy]#
> 
> Loaded? What does that mean? Have I accidently changed my whole security
> configuration?
> 
> No indication of what policy.conf or other files were used to make up
> this (binary) file.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
I'm a little surprised that you didn't read the Makefile and find 'cat 
/selinux/policyvers'. Also the man pages help.
One thing that is not really explained (that I recall) is that 
installing the 'policy' rpm puts pre-compiled 'policy{15,16,17}' in the 
"install dir" (which for this rpm is /etc/security/selinux) while 
installing the 'policy-sources' rpm does it's thing in 
/etc/security/selinux/src/policy and then builds the binary 
policy{15,16,17} and moves(selinux "install") them to the 
/etc/security/selinux/ dir.
HTH
Richard Hally




More information about the fedora-selinux-list mailing list