Re: Dumb question - where does policy.17 go when it is 'loaded'?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Gustafson wrote:

When a policy is reloaded
 (i.e., cd /etc/selinux/strict/src/policy; make reload),
where does it go?

Here we have a local make of the policy:



Policy.17 should be recreated in /etc/selinux/strict/policy in this scenario.
/etc/selinux/targeted/policy if you did this in a targeted policy.


[root@hoho2 policy]# make policy 2>&1 | tee policy.out
/usr/bin/checkpolicy -o policy.17 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  5 users, 7 roles, 1248 types, 1 bools
security:  42 classes, 306567 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 17) to policy.17
[root@hoho2 policy]# date
Tue Jun  1 01:15:00 CDT 2004
[root@hoho2 policy]# ls -lt | head
total 11712
-rw-------  1 root root 7465378 Jun  1 01:14 policy.17
-rw-r--r--  1 root root     330 Jun  1 01:14 policy.out
-rw-r--r--  1 root root      97 May 29 23:57 reload.out
drwxr-xr-x  2 root root    4096 May 29 23:57 tmp
drwxr-xr-x  4 root root    4096 May 29 12:06 file_contexts
-rw-r--r--  1 root root 4207890 May 29 12:05 policy.conf
drwx------  2 root root    4096 May 29 12:05 flask
drwx------  3 root root    4096 May 29 12:05 macros
drwx------  2 root root    4096 May 29 12:05 types

OK, policy.17 is dropped into this directory.

[root@hoho2 policy]# ls -l ../../policy
total 7308
-rw-r--r--  1 root root 7465378 May 29 12:06 policy.17

And, the policy.17 in this strict tree - has not been updated

Now, zap the local policy.17

[root@hoho2 policy]# rm policy.17
rm: remove regular file `policy.17'? y

And now just do a make reload

[root@hoho2 policy]# make reload 2>&1 | tee policy.out
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
/selinux/policyvers`
touch tmp/load

Now, check where it went..

[root@hoho2 policy]# ls -l ../../policy
total 7308
-rw-r--r--  1 root root 7465378 May 29 12:06 policy.17

Does not seem to have updated policy in the same (strict) tree

Look around for it

[root@hoho2 policy]# find / -name policy.17 -print
/etc/security/selinux/policy.17
/etc/security/selinux/src/policy/policy.17
/etc/selinux/targeted/src/policy/policy.17
/etc/selinux/targeted/policy/policy.17
/etc/selinux/strict/policy/policy.17

Lots of policies - now check dates

[root@hoho2 policy]# ls -l /etc/security/selinux/policy.17
-rw-r--r--  1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17

[root@hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17
-rw-------  1 root root 7385824 May  7 10:24
/etc/security/selinux/src/policy/policy.17

[root@hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17
-rw-r--r--  1 root root 7465378 May 29 12:06
/etc/selinux/strict/policy/policy.17

[root@hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17
-rw-r--r--  1 root root 97919 May 29 12:06
/etc/selinux/targeted/policy/policy.17

[root@hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17
-rw-------  1 root root 97919 May 28 13:38
/etc/selinux/targeted/src/policy/policy.17

None of the dates have been touched. Where did it go?

-----

Now, if policy is 'loaded', why do I now get these errors?

[root@hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:at_exec_t on line number 710
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:seuser_exec_t on line number 1550
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:seuser_conf_t on line number 1551
[root@hoho2 user1]#


rpm is currently broken. You can fix this behaviour by linking to the file context file

ln -s /etc/selinux/strict/files/file_context /etc/security/selinux/file_contexts


Also - hmm, I think I have security 'loaded' because I cannot 'su' into root now - unless I know what my role and type and ... are !! - may have to reboot.

My guess at this point is that the policy is loaded into memory somewhere -
maybe the kernel patches will tell where?? But why is there no disk
version?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux