Bug 122849 - SELinux FAQ - what is the meaning of the numbered policy files, how are they generated?
SELinux FAQ - what is the meaning of the numbered policy files, how are they ...
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://people.redhat.com/kwade/fedora...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2004-05-09 03:07 EDT by Karsten Wade
Modified: 2007-04-18 13:07 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-18 02:48:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2004-05-09 03:07:27 EDT
Separated from 122794.

Version-Release of FAQ 

 selinux-faq-1.1 (2004-05-05-T16:20-0800)


 Additional Comment #1 From Bob Gustafson (bobgus@rcn.com)  on
2004-05-08 15:52 -------


I wonder if there is a configuration problem with the policy files.

In the /etc/security/selinux/src/policy/Makefile (mine at least),
there is no mention of policy.17 as an output file, but I do have a
policy.17 file in that directory and in the /etc/security/selinux
directories (see below).

Where are all of these things dropping from, and what is the source
used in generating policy.15, policy.16, policy.17.

Also, what is the meaning of 'load' when applied to a policy file. And
how can one determine what policy file is 'active'?

  [root@hoho2 policy]# more /home/user1/policy.bug

  [root@hoho2 policy]# pwd
  /etc/security/selinux/src/policy

  [root@hoho2 policy]# grep 15 Makefile
        $(CHECKPOLICY) -c 15 -o $(INSTALLDIR)/policy.15 policy.conf
  [root@hoho2 policy]# grep 16 Makefile
        $(CHECKPOLICY) -c 16 -o $(INSTALLDIR)/policy.16 policy.conf
  [root@hoho2 policy]# grep 17 Makefile

  [root@hoho2 policy]# ls -l ../..
  total 21752
  -rw-r--r--  1 root root   86912 May  5 23:30 file_contexts
  -rw-r--r--  1 root root 7369029 May  5 23:30 policy.15
  -rw-r--r--  1 root root 7370766 May  5 23:30 policy.16
  -rw-r--r--  1 root root 7371078 May  5 23:29 policy.17
  drwx------  3 root root    4096 Apr 28 21:04 src

 
  [root@hoho2 policy]# ls -l ../../policy.17
  -rw-r--r--  1 root root 7371078 May  5 23:29 ../../policy.17
  [root@hoho2 policy]# ls -l policy.17
  -rw-------  1 root root 7346892 Apr 28 21:04 policy.17

These are not the same files, both size and date differ.
 
 [root@hoho2 policy]# file policy.17
  policy.17: SE Linux policy v17 6 symbols 7 ocons
  [root@hoho2 policy]#

That is pretty nifty. Maybe having some sort of 'source stamp' would
be a useful addition somewhere, not necessarily in the file text
though. (But maybe)
 
  [root@hoho2 policy]# checkpolicy -h
  checkpolicy: invalid option -- h
  usage:  checkpolicy [-b] [-d] [-c policyvers (15-17)] [-o 
      output_file] [input_file]
  [root@hoho2 policy]# checkpolicy -b policy.17
  checkpolicy:  loading policy configuration from policy.17
  security:  5 users, 7 roles, 1244 types, 1 bools
  security:  30 classes, 301755 rules
  checkpolicy:  policy configuration loaded
  [root@hoho2 policy]#
 
Loaded? What does that mean? Have I accidently changed my whole
security configuration?

No indication of what policy.conf or other files were used to make up
this (binary) file.
Comment 1 Karsten Wade 2004-05-18 02:48:03 EDT
Update - agree with the explanation in this email; new question will
come out in version 1.2 of the FAQ:

http://www.redhat.com/archives/fedora-selinux-list/2004-May/msg00061.html

to expand upon this topic in the FAQ.

## begin

Q:. Why do the files /etc/security/selinux/policy.<version> and
/etc/security/selinux/src/policy/policy.<version> have different
(sizes, md5sums, dates)?

A:. When you install the policy package, a pre-compiled binary policy
file is put directly at /etc/security/selinux. When the policy-source
package is installed or updated, binary policy files are built in
/etc/security/selinux/src/policy, then moved to /etc/security/selinux.
The different build environments will make target files have different
sizes, md5sums, and dates.

## 30

Note You need to log in before you can comment on or make changes to this bug.