Chapter 7.

Compiling SELinux Policy

Warning

The commands and steps covered in this chapter may render your system inoperable or unable to

be supported.

Nothing in this chapter should be performed on a production system without having been thoroughly

tested in a development or sandbox environment first.

If you are going to compile and install a custom policy, be prepared to take the actions you need

to safeguard your data and installation. Proper backup procedures, change reversal plans, and an

informed methodology are key to your success.

This chapter covers the considerations and methods for compiling SELinux policy. Following instruc 

tions on compiling SELinux policy, this chapter presents some reference information and considera 

tions.

7.1. Policy Compile Procedure

Policy is usually compiled to enable a customization to take effect on your system. You may also

compile policy under development, such as when working on writing a new policy or SELinux aware

application.

When you install a new policy, you must eventually reboot to test that it works during system start up.

If the policy change is significant enough, such as installing an entirely new policy, you need to reboot

to ensure all applications are running in the right context for the loaded policy. This is similar to any

major configuration change under Linux; you want to be sure it works properly from system start up

on at least one production equivalent machine.

Note

Policy updates from Red Hat should not require a reboot after installation. If a reboot were required,

that fact would be clearly noted in the package advisory.

A reboot is required when the policy change is significantly different. For example, switching from the

targeted to the strict policy requires a reboot. Ordinary policy updates do not.

To compile SELinux policy:

Compiling the SELinux Policy

1.

cd /etc/selinux/targeted/src/policy/