updated SELinux FAQ
Richard Hally
rhally at mindspring.com
Sat May 8 22:47:35 UTC 2004
Bob Gustafson wrote:
> On Sat, 08 May 2004 00:34:02 -0400 Richard Hally wrote:
>
>>Q: I have installed Fedora Core 2 without SELinux, what are the steps to
>> start using SELinux?
>>A:
>
>
> snip
>
>
>> 4. cd /etc/security/selinux/src/policy
>> make load
>> (to make sure the policy and file_contexts were built correctly)
>> make relabel
>> (this will take a while, it accesses every file on the system)
>
>
> (I'm coming from the newbie user side, so hopefully my questions would
> qualify as FAQ questions?)
>
> I added the following as a comment to your bugzilla entry.
>
> ----------
>
> I wonder if there is a configuration problem with the policy files.
>
> In the /etc/security/selinux/src/policy/Makefile (mine at least), there
> is no mention of policy.17 as an output file, but I do have a policy.17
> file in that directory and in the /etc/security/selinux directories (see
> below).
>
> Where are all of these things dropping from, and what is the source used
> in generating policy.15, policy.16, policy.17.
>
> Also, what is the meaning of 'load' when applied to a policy file. And
> how can one determine what policy file is 'active'? (whatever that means)
>
> [root at hoho2 policy]# more /home/user1/policy.bug
>
> [root at hoho2 policy]# pwd
> /etc/security/selinux/src/policy
>
> [root at hoho2 policy]# grep 15 Makefile
> $(CHECKPOLICY) -c 15 -o $(INSTALLDIR)/policy.15 policy.conf
> [root at hoho2 policy]# grep 16 Makefile
> $(CHECKPOLICY) -c 16 -o $(INSTALLDIR)/policy.16 policy.conf
> [root at hoho2 policy]# grep 17 Makefile
>
> [root at hoho2 policy]# ls -l ../..
> total 21752
> -rw-r--r-- 1 root root 86912 May 5 23:30 file_contexts
> -rw-r--r-- 1 root root 7369029 May 5 23:30 policy.15
> -rw-r--r-- 1 root root 7370766 May 5 23:30 policy.16
> -rw-r--r-- 1 root root 7371078 May 5 23:29 policy.17
> drwx------ 3 root root 4096 Apr 28 21:04 src
>
>
> [root at hoho2 policy]# ls -l ../../policy.17
> -rw-r--r-- 1 root root 7371078 May 5 23:29 ../../policy.17
> [root at hoho2 policy]# ls -l policy.17
> -rw------- 1 root root 7346892 Apr 28 21:04 policy.17
>
> These are not the same files, both size and date differ.
>
> [root at hoho2 policy]# file policy.17
> policy.17: SE Linux policy v17 6 symbols 7 ocons
> [root at hoho2 policy]#
>
> That is pretty nifty. Maybe having some sort of 'source stamp' would be
> a useful addition somewhere, not necessarily in the file text though.
> (But maybe)
>
> [root at hoho2 policy]# checkpolicy -h
> checkpolicy: invalid option -- h
> usage: checkpolicy [-b] [-d] [-c policyvers (15-17)] [-o
> output_file] [input_file]
> [root at hoho2 policy]# checkpolicy -b policy.17
> checkpolicy: loading policy configuration from policy.17
> security: 5 users, 7 roles, 1244 types, 1 bools
> security: 30 classes, 301755 rules
> checkpolicy: policy configuration loaded
> [root at hoho2 policy]#
>
> Loaded? What does that mean? Have I accidently changed my whole security
> configuration?
>
> No indication of what policy.conf or other files were used to make up
> this (binary) file.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
I'm a little surprised that you didn't read the Makefile and find 'cat
/selinux/policyvers'. Also the man pages help.
One thing that is not really explained (that I recall) is that
installing the 'policy' rpm puts pre-compiled 'policy{15,16,17}' in the
"install dir" (which for this rpm is /etc/security/selinux) while
installing the 'policy-sources' rpm does it's thing in
/etc/security/selinux/src/policy and then builds the binary
policy{15,16,17} and moves(selinux "install") them to the
/etc/security/selinux/ dir.
HTH
Richard Hally
More information about the fedora-selinux-list
mailing list