92


Chapter 7. Compiling SELinux Policy


2. Policy compiles if there are new or changed files in certain locations in the source tree. Those files


must have a later timestamp than


policy.conf


. If you want to compile the policy but cannot


because of the timestamp, you can force a compile.


To compile the policy, run


make


make_policy_target


.


f


g


If you need to force a policy build, run


make  W


users


load


. The target can be any


f


ghf


g


from the


Makefile


.


The


 W


option tells


make


to act as if the command


touch


had been run on the file


users


. This


virtual update of the timestamp is only from the perspective of


make


. It triggers the


Makefile


to


build and load the policy because the virtual change to the


users


file gives it a later timestamp


than the


policy.conf


file.


In order to compile the policy, you need to install the policy source package,


selinux policy targeted sources  version


.


f


g


The Significant Policy


make


Targets list that follows discusses important


make


targets in the SELinux


policy sources. The


Makefile


itself has more options that you can explore yourself.


Significant Policy


make


Targets


load


Compiles, installs, and fully loads the policy into memory.


This


runs


load_policy


and


installs


$SELINUX_POLICY/policy. XY


and


f


g


/etc/selinux/targeted/contexts/files/file_contexts


. When the policy gets


loaded, the file


$SELINUX_SRC/tmp/load


is created. The


Makefile


does not compile the


policy as long as nothing has changed in the policy source tree since the creation time on the file


policy.conf


.


reload


Compiles, installs, and loads or reloads the policy. Reloading lets you load the policy in runtime


even if the file


$SELINUX_SRC/tmp/load


is present and newer than the last changes in policy


source.


policy


Only


compiles


the


policy,


putting


the


resulting


binary


policy


file


into


$SELINUX_SRC/policy. XY


.


It


also


creates


a


new


policy.conf


file,


f


g


file_contexts/file_contexts


, and so forth. This is useful for developing policy that you


intend to deploy on another machine.


relabel


Relabels


the


file


system


using


the


policy


sources,


based


on


the


file


$SELINUX_SRC/file_contexts/file_contexts


. As explained in Section 5.2.2 Relabel a


File System, this is not the recommended method for relabeling a file system.


enableaudit


Enables auditing on all of the policy rules that are marked


dontaudit


. The


enableaudit


target


changes the


dontaudit


rules in


policy.conf


, which is then loaded.


cd $SELINUX_SRC/


make enableaudit


make load


This is useful for troubleshooting if you are getting SELinux denials that are not generating audit


messages. This is usually discovered by testing with


setenforce 0


to see if the operation is


then allowed.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved