94

Chapter 7. Compiling SELinux Policy

During the compilation, several files and a directory are created or updated. The most

important is

$SELINUX_SRC/policy.conf

. Also in the

$SELINUX_SRC/

directory is

tmp/

, which contains temporary build files, including

load

. This file is a zero byte file that

is used by the

Makefile

to determine the time the policy was last loaded. Finally, the file

$SELINUX_SRC/file_contexts/file_contexts

is created, which is a concatenation of all of

the various file contexts files in the source tree.

At the heart of the compilation is

checkpolicy

. This tool compiles the policy into its binary form,

and can also be used to validate the policy. Policy compilation is best left to the

Makefile

to handle,

but you can gain some insight into any binary policy file using

checkpolicy

:

# By itself, checkpolicy looks for a policy.conf file in the

# current working directory, which might normally be $SELINUX_SRC/.

cd $SELINUX_SRC/

checkpolicy

checkpolicy:

loading policy configuration from policy.conf

security:

3 users, 4 roles, 316 types, 20 bools

security:

53 classes, 9815 rules

checkpolicy:

policy configuration loaded

# You can specify a binary policy file with  b:

checkpolicy  b $SELINUX_POLICY/policy.18

checkpolicy:

loading policy configuration from \

/etc/selinux/targeted/policy/policy.18

security:

3 users, 4 roles, 316 types, 20 bools

security:

53 classes, 9817 rules

checkpolicy:

policy configuration loaded