Chapter 7. Compiling SELinux Policy
93
When enabled, the number of denial messages may be very large. You return to a
dontaudit
state by running
make clean
and then
make load
in
$SELINUX_SRC/
.
Tip
The Makefile
makes some decisions based on the timestamps of the two policy
files
$SELINUX_SRC/policy.conf,
$SELINUX_SRC/policy. XY ,
and
the
file
i
j
$SELINUX_SRC/tmp/load/. Because of this you may run into tricky behavior.
The Makefile will only rebuild policy.conf if there are newer policy files in the source tree. Two
behaviors arise from this:
1. If you move a TE file into the source tree that has a timestamp older than the policy.conf,
the Makefile does not rebuild policy.conf.
2. If you move a TE file so that it is no longer in the build path, in particular
$SELINUX_SRC/domains/misc/, the Makefile does not necessarily recognize the change.
When this occurs, make load will validate the policy and touch tmp/load, but not compile the policy.
You can force the compile with make  W users load.
The make load command compares the timestamp on tmp/load and the binary policy file in
$SELINUX_SRC/. This file, policy. XY , is created in the policy source directory by the command
i
j
make policy. If the binary policy file is newer than the file tmp/load, the policy is loaded.
For example, you write a local.te custom policy file, run tests on it, then remove the file from the
source tree. With no new files in the policy source tree, the Makefile does not reload the policy. This
is because the Makefile is only looking for new files in the source tree. You must run make  W users
load, which compiles, installs, and loads the policy. This returns you to an uncustomized state.
Later you decide to use the custom policy again. You retrieve the file from the unused policy source
location, moving it back to where it will compile into the policy. However, running make load or make
reload has no effect. This is because the file local.te is not a new file, it continues to have the
original creation timestamp on it. In order to keep the accurate timestamp on the file, rather than
using touch you can again use make  W domains/misc/local.te load.
7.2. What Happens During Policy Build
There are multiple events during policy build, some depending on which
make
target you choose.
The end result is a binary policy file, with several ancillary files created in the process, including
policy.conf
. The compilation itself follows the same essential steps regardless of the
make
target:
1. All of the configuration files from the
$SELINUX_SRC/
tree that are used in the policy are
concatenated together. This is a pre processed state.
The source configuration files are discussed extensively in Chapter 2 SELinux Policy Overview.
The basic qualification for inclusion is to have a TE file in
$SELINUX_SRC/domains/
, but not
in the
domains/unused/
directory.
2. The
m4
pre processor takes the aggregate configuration input and expands the macros, making
the
policy.conf
file.
3. The
checkpolicy
policy
compiler
runs
against
policy.conf
,
resulting
in
the
policy. XY
binary policy file being created. This file is installed into
k
l
$SELINUX_POLICY/
, where it will be picked up on next system boot. Some
make
targets load
the policy into memory during runtime. The
make policy
command builds the policy and
puts the binary policy file in the source directory,
$SELINUX_SRC/policy. XY
.
k
l






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved