2017-04-28 17:50 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx>: > You seem to be conflating kernel policy with userspace policy. > security_load_policy() is provided with the kernel policy image, which > is the result of linking the kernel-relevant portions of all policy > modules together. A hash of that image will change if you insert a > policy module that affects the kernel policy in any way. But a change > that only affects userspace policy isn't ever going to be reflected in > the kernel. It doesn't matter where or when you compute your checksum > within the kernel; it isn't ever going to reflect those userspace > policy changes. Here is the content of the module is used for my tests: #============= user_t ============== allow user_t mnt_t:dir { write add_name }; allow user_t mnt_t:file { write create }; After loading the .pp corresponding to it, I can see that with the method of computing the checksum on the (data, len) pair on entry to security_load_policy(), the checksum does not change. However, when using the (data, len) pair got from security_read_policy(), the checksum changes. And when I remove the module, the checksum is back to its previous value. So this is what makes me think there is a difference. Am I missing something?