92
Chapter 7. Compiling SELinux Policy
2. Policy compiles if there are new or changed files in certain locations in the source tree. Those files
must have a later timestamp than
policy.conf
. If you want to compile the policy but cannot
because of the timestamp, you can force a compile.
To compile the policy, run
make
make_policy_target
.
f
g
If you need to force a policy build, run
make W
users
load
. The target can be any
f
ghf
g
from the
Makefile
.
The
W
option tells
make
to act as if the command
touch
had been run on the file
users
. This
virtual update of the timestamp is only from the perspective of
make
. It triggers the
Makefile
to
build and load the policy because the virtual change to the
users
file gives it a later timestamp
than the
policy.conf
file.
In order to compile the policy, you need to install the policy source package,
selinux policy targeted sources version
.
f
g
The Significant Policy
make
Targets list that follows discusses important
make
targets in the SELinux
policy sources. The
Makefile
itself has more options that you can explore yourself.
Significant Policy
make
Targets
load
Compiles, installs, and fully loads the policy into memory.
This
runs
load_policy
and
installs
$SELINUX_POLICY/policy. XY
and
f
g
/etc/selinux/targeted/contexts/files/file_contexts
. When the policy gets
loaded, the file
$SELINUX_SRC/tmp/load
is created. The
Makefile
does not compile the
policy as long as nothing has changed in the policy source tree since the creation time on the file
policy.conf
.
reload
Compiles, installs, and loads or reloads the policy. Reloading lets you load the policy in runtime
even if the file
$SELINUX_SRC/tmp/load
is present and newer than the last changes in policy
source.
policy
Only
compiles
the
policy,
putting
the
resulting
binary
policy
file
into
$SELINUX_SRC/policy. XY
.
It
also
creates
a
new
policy.conf
file,
f
g
file_contexts/file_contexts
, and so forth. This is useful for developing policy that you
intend to deploy on another machine.
relabel
Relabels
the
file
system
using
the
policy
sources,
based
on
the
file
$SELINUX_SRC/file_contexts/file_contexts
. As explained in Section 5.2.2 Relabel a
File System, this is not the recommended method for relabeling a file system.
enableaudit
Enables auditing on all of the policy rules that are marked
dontaudit
. The
enableaudit
target
changes the
dontaudit
rules in
policy.conf
, which is then loaded.
cd $SELINUX_SRC/
make enableaudit
make load
This is useful for troubleshooting if you are getting SELinux denials that are not generating audit
messages. This is usually discovered by testing with
setenforce 0
to see if the operation is
then allowed.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved