When a policy is reloaded (i.e., cd /etc/selinux/strict/src/policy; make reload), where does it go? Here we have a local make of the policy: [root@hoho2 policy]# make policy 2>&1 | tee policy.out /usr/bin/checkpolicy -o policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1248 types, 1 bools security: 42 classes, 306567 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to policy.17 [root@hoho2 policy]# date Tue Jun 1 01:15:00 CDT 2004 [root@hoho2 policy]# ls -lt | head total 11712 -rw------- 1 root root 7465378 Jun 1 01:14 policy.17 -rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out -rw-r--r-- 1 root root 97 May 29 23:57 reload.out drwxr-xr-x 2 root root 4096 May 29 23:57 tmp drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts -rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf drwx------ 2 root root 4096 May 29 12:05 flask drwx------ 3 root root 4096 May 29 12:05 macros drwx------ 2 root root 4096 May 29 12:05 types OK, policy.17 is dropped into this directory. [root@hoho2 policy]# ls -l ../../policy total 7308 -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 And, the policy.17 in this strict tree - has not been updated Now, zap the local policy.17 [root@hoho2 policy]# rm policy.17 rm: remove regular file `policy.17'? y And now just do a make reload [root@hoho2 policy]# make reload 2>&1 | tee policy.out /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` touch tmp/load Now, check where it went.. [root@hoho2 policy]# ls -l ../../policy total 7308 -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 Does not seem to have updated policy in the same (strict) tree Look around for it [root@hoho2 policy]# find / -name policy.17 -print /etc/security/selinux/policy.17 /etc/security/selinux/src/policy/policy.17 /etc/selinux/targeted/src/policy/policy.17 /etc/selinux/targeted/policy/policy.17 /etc/selinux/strict/policy/policy.17 Lots of policies - now check dates [root@hoho2 policy]# ls -l /etc/security/selinux/policy.17 -rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17 [root@hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17 -rw------- 1 root root 7385824 May 7 10:24 /etc/security/selinux/src/policy/policy.17 [root@hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17 -rw-r--r-- 1 root root 7465378 May 29 12:06 /etc/selinux/strict/policy/policy.17 [root@hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17 -rw-r--r-- 1 root root 97919 May 29 12:06 /etc/selinux/targeted/policy/policy.17 [root@hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17 -rw------- 1 root root 97919 May 28 13:38 /etc/selinux/targeted/src/policy/policy.17 None of the dates have been touched. Where did it go? ----- Now, if policy is 'loaded', why do I now get these errors? [root@hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm /etc/security/selinux/file_contexts: invalid context system_u:object_r:at_exec_t on line number 710 /etc/security/selinux/file_contexts: invalid context system_u:object_r:seuser_exec_t on line number 1550 /etc/security/selinux/file_contexts: invalid context system_u:object_r:seuser_conf_t on line number 1551 [root@hoho2 user1]# Also - hmm, I think I have security 'loaded' because I cannot 'su' into root now - unless I know what my role and type and ... are !! - may have to reboot. My guess at this point is that the policy is loaded into memory somewhere - maybe the kernel patches will tell where?? But why is there no disk version?
