Rawhide MLS policy.22 and policy.23

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 14 12:31:41 UTC 2008

On Sun, 2008-04-13 at 21:44 -0500, Joe Nall wrote:
> I have an MLS policy.22 and policy.23 on current rawhide. The system  
> boots and runs policy.22. sedispol doesn't like policy.23. What  
> controls which policy is in use? Is 22 the correct policy to be  
> running today?

Known problem.  The way it is supposed to work (and used to work prior
to moving initial policy load into the initrd for upstart) is that
libsemanage would always generate the latest policy version supported by
libsepol, and libselinux would always try to load the latest policy
version supported by libsepol, and libselinux could use libsepol to
downgrade that policy to one understood by the kernel as needed.

The problem now in Fedora 9 / rawhide is that initial policy load
happens from nash on the initrd, and uses the libsepol pulled into the
initrd when it was built (i.e. when the kernel was installed).  Thus,
you can end up with an older libsepol on the initrd than exists on the
real root, and have a system where nash can NOT load the latest policy
generated by libsemanage.

To fix, either a) rebuild your initrd so that you have the latest
libsepol in it (this should happen automatically on next kernel
install), or b) force the libsepol on the real root to generate
policy.22 instead by putting policy-version = 22
in /etc/selinux/semanage.conf and then run semodule -B to rebuild.

setools should have been rebuilt recently to pick up the new libsepol
(it uses the static lib and has to be rebuilt for newer ones).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list