Dumb question - where does policy.17 go when it is 'loaded'?
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 1 14:14:44 UTC 2004
Bob Gustafson wrote:
>When a policy is reloaded
> (i.e., cd /etc/selinux/strict/src/policy; make reload),
>where does it go?
>
>Here we have a local make of the policy:
>
>
>
Policy.17 should be recreated in /etc/selinux/strict/policy in this
scenario.
/etc/selinux/targeted/policy if you did this in a targeted policy.
>[root at hoho2 policy]# make policy 2>&1 | tee policy.out
>/usr/bin/checkpolicy -o policy.17 policy.conf
>/usr/bin/checkpolicy: loading policy configuration from policy.conf
>security: 5 users, 7 roles, 1248 types, 1 bools
>security: 42 classes, 306567 rules
>/usr/bin/checkpolicy: policy configuration loaded
>/usr/bin/checkpolicy: writing binary representation (version 17) to policy.17
>[root at hoho2 policy]# date
>Tue Jun 1 01:15:00 CDT 2004
>[root at hoho2 policy]# ls -lt | head
>total 11712
>-rw------- 1 root root 7465378 Jun 1 01:14 policy.17
>-rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out
>-rw-r--r-- 1 root root 97 May 29 23:57 reload.out
>drwxr-xr-x 2 root root 4096 May 29 23:57 tmp
>drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts
>-rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf
>drwx------ 2 root root 4096 May 29 12:05 flask
>drwx------ 3 root root 4096 May 29 12:05 macros
>drwx------ 2 root root 4096 May 29 12:05 types
>
>OK, policy.17 is dropped into this directory.
>
>[root at hoho2 policy]# ls -l ../../policy
>total 7308
>-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17
>
>And, the policy.17 in this strict tree - has not been updated
>
>Now, zap the local policy.17
>
>[root at hoho2 policy]# rm policy.17
>rm: remove regular file `policy.17'? y
>
>And now just do a make reload
>
>[root at hoho2 policy]# make reload 2>&1 | tee policy.out
>/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
>/selinux/policyvers`
>touch tmp/load
>
>Now, check where it went..
>
>[root at hoho2 policy]# ls -l ../../policy
>total 7308
>-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17
>
>Does not seem to have updated policy in the same (strict) tree
>
>Look around for it
>
>[root at hoho2 policy]# find / -name policy.17 -print
>/etc/security/selinux/policy.17
>/etc/security/selinux/src/policy/policy.17
>/etc/selinux/targeted/src/policy/policy.17
>/etc/selinux/targeted/policy/policy.17
>/etc/selinux/strict/policy/policy.17
>
>Lots of policies - now check dates
>
>[root at hoho2 policy]# ls -l /etc/security/selinux/policy.17
>-rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17
>
>[root at hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17
>-rw------- 1 root root 7385824 May 7 10:24
>/etc/security/selinux/src/policy/policy.17
>
>[root at hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17
>-rw-r--r-- 1 root root 7465378 May 29 12:06
>/etc/selinux/strict/policy/policy.17
>
>[root at hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17
>-rw-r--r-- 1 root root 97919 May 29 12:06
>/etc/selinux/targeted/policy/policy.17
>
>[root at hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17
>-rw------- 1 root root 97919 May 28 13:38
>/etc/selinux/targeted/src/policy/policy.17
>
>None of the dates have been touched. Where did it go?
>
>-----
>
>Now, if policy is 'loaded', why do I now get these errors?
>
>[root at hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm
>/etc/security/selinux/file_contexts: invalid context
>system_u:object_r:at_exec_t on line number 710
>/etc/security/selinux/file_contexts: invalid context
>system_u:object_r:seuser_exec_t on line number 1550
>/etc/security/selinux/file_contexts: invalid context
>system_u:object_r:seuser_conf_t on line number 1551
>[root at hoho2 user1]#
>
>
rpm is currently broken. You can fix this behaviour by linking to the
file context file
ln -s /etc/selinux/strict/files/file_context
/etc/security/selinux/file_contexts
>
>Also - hmm, I think I have security 'loaded' because I cannot 'su' into
>root now - unless I know what my role and type and ... are !! - may have to
>reboot.
>
>My guess at this point is that the policy is loaded into memory somewhere -
>maybe the kernel patches will tell where?? But why is there no disk
>version?
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list