On Wed, 22 Nov 2023 at 19:33, William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > On Tue, Nov 21, 2023 at 2:27 PM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > > > Hi, > > > > Milos Malik noticed [0] that getpolicyload "skippes" 1 after first > > `semodule -R`: > > > > > > [root@fedora ~]# getpolicyload > > 0 > > [root@fedora ~]# semodule -R > > [root@fedora ~]# getpolicyload > > 2 > > [root@fedora ~]# semodule -R > > [root@fedora ~]# getpolicyload > > 3 > > [root@fedora ~]# semodule -R > > [root@fedora ~]# getpolicyload > > 4 > > > > why it's like that? > > > > It looks like increased sequence is not propagated after first > > policyload and it's propagated to the status after the second > > policyload. > > > > > > [0] https://src.fedoraproject.org/tests/selinux/pull-request/451#comment-168398 > > > > it may not be one, but never zero, so its ok to skip 1 per this comment: > - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L57 > > On the creation of the page, the policyload is set to 0, on updates, > the seqno is used: > - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L104 > > Definitely odd behavior, but seems expected. I just don't know why > seqno isn't used on page creation. > > Bill The initial policy load will call selinux_status_update_policyload(1), trying to set the sequence number to 1, but probably the status page is not yet allocated. It is only allocated on first access of /selinux/status (see selinuxfs.c:sel_open_handle_status()).
