Re: does load_policy default to loading the lowest polvers available?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/14/2015 10:29 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote:
On 10/14/2015 10:11 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 09:56:04AM -0400, Stephen Smalley wrote:
On 10/14/2015 09:34 AM, Dominick Grift wrote:

I had some issue that just confused me (to say the least) It seems that
I have now solved this.

There were two policy.X files in my /etc/selinux/SELINUXTYPE/policy dir,
on 29 an one 30. The 29 seemingly had a bug in it.

It seems that load_policy (or its libselinux equivalent) defaults to
the lowest policy available (29 instead of 30 in this case)

Why is that?

I fixed the issue by removing the policy.29 file (i think at least)

What policy versions were supported by your kernel (cat
/sys/fs/selinux/policyvers) and by your libsepol (checkpolicy -V)?

/sys/fs/selinux/policyvers says: version 30, and checkpolicy says: 29 (compatibility range 29-15)

That is weird because i have the latest libsepol installed (atleast
pretty recent):

# rpm -qa {libsepol*,libselinux*}
libselinux-utils-2.4-9999.git5aeb4c3.fc24.x86_64
libselinux-2.4-9999.git5aeb4c3.fc24.x86_64
libsepol-2.4-9999.git5aeb4c3.fc24.x86_64

Last release of libsepol predated policy 30 support.

However, if your kernel supports it, it should still be loaded.
The logic is in selinux/libselinux/src/load_policy.c:
selinux_mkload_policy().  With any modern kernel and configuration,
libselinux should not need to patch in local definitions or booleans
(already applied by libsemanage or preserved by the kernel), so maxvers
should be set to the max of the kernel version (/sys/fs/selinux/policyvers)
and the libsepol-supported version, and that should get loaded.

strace of load_policy might be interesting.

That is the thing indeed. It works fine if i manually run
load_policy. But when i reboot it seemed to go back to the old one. (I am
not sure how fedora currently loads the policy)

I removed the policy.29 now so i can't easily reproduce it now. and i do
not think an strace of a manual load_policy will reveal much as that
works fine and as expected. The problem only occurred when i rebooted
(when fedora load policy instead of me)

Ohh , hmm maybe its a fedora initramfs issue... they probably have some
old stuff in there

AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka load_policy -i). And the approach to selecting a policy version has been stable for quite a while, so I wouldn't expect the libselinux in the initramfs to differ in this respect.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux