Re: Building MLS/MCS policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen,

what I propose is to add a few lines of documentation explaining the process of switching between different policy types (see the two patches below, one for load_policy and the other for the reference policy).

diff -pru policycoreutils-2.0.77/load_policy/load_policy.8 policycoreutils-2.0.77-new/load_policy/load_policy.8
--- policycoreutils-2.0.77/load_policy/load_policy.8    2009-11-19 23:16:03.000000000 +0100
+++ policycoreutils-2.0.77-new/load_policy/load_policy.8        2010-01-26 16:26:11.210178317 +0100
@@ -12,6 +12,11 @@ load_policy loads the installed policy f
 The existing policy boolean values are automatically preserved
 across policy reloads rather than being reset to the default
 values in the policy file.
+.PP
+It should be noted that it is not possible to switch between
+a non-MLS/MCS policy and a MLS/MCS policy or viceversa at
+runtime. To switch between such different types of policies
+change the SELinux configuration and reboot the kernel.

 .SH "OPTIONS"
 .TP

diff -pru refpolicy-2.20091117/README refpolicy-2.20091117-new/README
--- refpolicy-2.20091117/README 2009-07-14 14:24:46.000000000 +0200
+++ refpolicy-2.20091117-new/README     2010-01-26 16:39:13.272185609 +0100
@@ -267,3 +267,14 @@ refresh                    Attempts to reinsert all modul
 xml                    Build a policy.xml from the XML included with the
                        base policy headers and any XML in the modules in
                        the current directory.
+
+5) Switching between different types of policies (e.g. from non-MLS to MLS)
+
+In order to switch from a non-MLS/non-MCS policy to a MLS or MCS policy
+(and viceversa), make sure to change in build.conf not only the TYPE
+parameter between the two policies but also the NAME parameter (just name
+the new policy differently from the previous one). Also, after building the
+new policy, in order to load it for the first time (and eventually install
+custom modules), it might be necessary to reboot the kernel in permissive
+mode (after having changed the SELinux configuration file to select the
+new policy).

Regards,

Guido

Attachment: document-switch-policy-type.patch
Description: Binary data

Attachment: document-switch-policy-type-in-reference.patch
Description: Binary data

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux