Dumb question - where does policy.17 go when it is 'loaded'?

Richard Hally rhally at mindspring.com
Tue Jun 1 08:16:30 UTC 2004 

Bob Gustafson wrote:

> When a policy is reloaded
>   (i.e., cd /etc/selinux/strict/src/policy; make reload),
> where does it go?
> 
> Here we have a local make of the policy:
> 
> [root at hoho2 policy]# make policy 2>&1 | tee policy.out
> /usr/bin/checkpolicy -o policy.17 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  5 users, 7 roles, 1248 types, 1 bools
> security:  42 classes, 306567 rules
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 17) to policy.17
> [root at hoho2 policy]# date
> Tue Jun  1 01:15:00 CDT 2004
> [root at hoho2 policy]# ls -lt | head
> total 11712
> -rw-------  1 root root 7465378 Jun  1 01:14 policy.17
> -rw-r--r--  1 root root     330 Jun  1 01:14 policy.out
> -rw-r--r--  1 root root      97 May 29 23:57 reload.out
> drwxr-xr-x  2 root root    4096 May 29 23:57 tmp
> drwxr-xr-x  4 root root    4096 May 29 12:06 file_contexts
> -rw-r--r--  1 root root 4207890 May 29 12:05 policy.conf
> drwx------  2 root root    4096 May 29 12:05 flask
> drwx------  3 root root    4096 May 29 12:05 macros
> drwx------  2 root root    4096 May 29 12:05 types
> 
> OK, policy.17 is dropped into this directory.
> 
> [root at hoho2 policy]# ls -l ../../policy
> total 7308
> -rw-r--r--  1 root root 7465378 May 29 12:06 policy.17
> 
> And, the policy.17 in this strict tree - has not been updated
> 
> Now, zap the local policy.17
> 
> [root at hoho2 policy]# rm policy.17
> rm: remove regular file `policy.17'? y
> 
> And now just do a make reload
> 
> [root at hoho2 policy]# make reload 2>&1 | tee policy.out
> /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
> /selinux/policyvers`
> touch tmp/load
> 
> Now, check where it went..
> 
> [root at hoho2 policy]# ls -l ../../policy
> total 7308
> -rw-r--r--  1 root root 7465378 May 29 12:06 policy.17
> 
> Does not seem to have updated policy in the same (strict) tree
> 
> Look around for it
> 
> [root at hoho2 policy]# find / -name policy.17 -print
> /etc/security/selinux/policy.17
> /etc/security/selinux/src/policy/policy.17
> /etc/selinux/targeted/src/policy/policy.17
> /etc/selinux/targeted/policy/policy.17
> /etc/selinux/strict/policy/policy.17
> 
> Lots of policies - now check dates
> 
> [root at hoho2 policy]# ls -l /etc/security/selinux/policy.17
> -rw-r--r--  1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17
> 
> [root at hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17
> -rw-------  1 root root 7385824 May  7 10:24
> /etc/security/selinux/src/policy/policy.17
> 
> [root at hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17
> -rw-r--r--  1 root root 7465378 May 29 12:06
> /etc/selinux/strict/policy/policy.17
> 
> [root at hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17
> -rw-r--r--  1 root root 97919 May 29 12:06
> /etc/selinux/targeted/policy/policy.17
> 
> [root at hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17
> -rw-------  1 root root 97919 May 28 13:38
> /etc/selinux/targeted/src/policy/policy.17
> 
> None of the dates have been touched. Where did it go?
> 
> -----
> 
> Now, if policy is 'loaded', why do I now get these errors?
> 
> [root at hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm
> /etc/security/selinux/file_contexts:  invalid context
> system_u:object_r:at_exec_t on line number 710
> /etc/security/selinux/file_contexts:  invalid context
> system_u:object_r:seuser_exec_t on line number 1550
> /etc/security/selinux/file_contexts:  invalid context
> system_u:object_r:seuser_conf_t on line number 1551
> [root at hoho2 user1]#
> 
> 
> Also - hmm, I think I have security 'loaded' because I cannot 'su' into
> root now - unless I know what my role and type and ... are !! - may have to
> reboot.
> 
> My guess at this point is that the policy is loaded into memory somewhere -
> maybe the kernel patches will tell where??  But why is there no disk
> version?
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
The Makefile itself is very informative, especially the comments at the 
beginning. "make policy" does not load(or reload) the policy.
HTH
Richard Hally

More information about the fedora-selinux-list mailing list