2017-04-28 17:50 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx>:
> You seem to be conflating kernel policy with userspace policy.
> security_load_policy() is provided with the kernel policy image, which
> is the result of linking the kernel-relevant portions of all policy
> modules together. A hash of that image will change if you insert a
> policy module that affects the kernel policy in any way. But a change
> that only affects userspace policy isn't ever going to be reflected in
> the kernel. It doesn't matter where or when you compute your checksum
> within the kernel; it isn't ever going to reflect those userspace
> policy changes.
Here is the content of the module is used for my tests:
#============= user_t ==============
allow user_t mnt_t:dir { write add_name };
allow user_t mnt_t:file { write create };
After loading the .pp corresponding to it, I can see that with the
method of computing the checksum on the (data, len) pair on entry to
security_load_policy(), the checksum does not change. However, when
using the (data, len) pair got from
security_read_policy(), the checksum changes. And when I remove the
module, the checksum is back to its previous value.
So this is what makes me think there is a difference. Am I missing something?
