On Tue, Nov 21, 2023 at 2:27 PM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > Hi, > > Milos Malik noticed [0] that getpolicyload "skippes" 1 after first > `semodule -R`: > > > [root@fedora ~]# getpolicyload > 0 > [root@fedora ~]# semodule -R > [root@fedora ~]# getpolicyload > 2 > [root@fedora ~]# semodule -R > [root@fedora ~]# getpolicyload > 3 > [root@fedora ~]# semodule -R > [root@fedora ~]# getpolicyload > 4 > > why it's like that? > > It looks like increased sequence is not propagated after first > policyload and it's propagated to the status after the second > policyload. > > > [0] https://src.fedoraproject.org/tests/selinux/pull-request/451#comment-168398 > it may not be one, but never zero, so its ok to skip 1 per this comment: - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L57 On the creation of the page, the policyload is set to 0, on updates, the seqno is used: - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L104 Definitely odd behavior, but seems expected. I just don't know why seqno isn't used on page creation. Bill