| 1 |
For those SELinux users unfamiliar, the compiled policy is versioned. |
| 2 |
The first version that was merged into 2.6 months ago, and also is in |
| 3 |
the 2.4 backports has been version 15. The version number only has to |
| 4 |
be incremented when new features are added that require changes to the |
| 5 |
structure of the compiled policy. In 2.6.5, conditional policy |
| 6 |
extensions have been added. These "policy booleans" enable and disable |
| 7 |
policy rules at runtime, without reloading the policy (the ability to |
| 8 |
enable or disable a boolean is, of course, controlled by policy). This |
| 9 |
required a bump to version 16. In 2.6.6-rc1, ipv6 support has been |
| 10 |
added, requiring a bump to version 17. Normally, the policy versions |
| 11 |
don't get bumped quickly like this, but the NSA and friends are hard at |
| 12 |
work adding things, lately. |
| 13 |
|
| 14 |
How does this affect Gentoo SELinux users? The new 2004.1 profiles will |
| 15 |
be the first to have a policy compiler that can compile different policy |
| 16 |
versions. The only adjustment needed is in the policy Makefile |
| 17 |
(starting with base-policy 20040418). In the Makefile, around line 23 |
| 18 |
there is a line that looks like this: |
| 19 |
|
| 20 |
POLICYCOMPAT = -c 15 |
| 21 |
|
| 22 |
Normally, checkpolicy 1.10 will create a policy for the current version |
| 23 |
(17). With the above option uncommented, a compatibility policy can be |
| 24 |
created. The above statement will create version 15 policy, and it can |
| 25 |
be changed to 16. To compile a version 17 policy, this statement should |
| 26 |
be commented out. |
| 27 |
|
| 28 |
How can I tell which version policy my kernel supports? There are |
| 29 |
several ways to determine the kernel's policy version. A change to the |
| 30 |
kernel eclass has been made that will display the policy version that |
| 31 |
the kernel expects: |
| 32 |
|
| 33 |
* The SELinux policy version of this kernel is 16. |
| 34 |
|
| 35 |
The policy version of the current kernel can be determined by running |
| 36 |
sestatus, or run `policyvers`. On a side note, current kernels can load |
| 37 |
the previous version policy, for compatibility (v17 can load v16), but |
| 38 |
this may change in the future. |
| 39 |
|
| 40 |
On Mon, 2004-04-19 at 05:26, fanfan wrote: |
| 41 |
> HI all, I have made all the things it sould be done in order to update |
| 42 |
> my SELinux but the policy is still the 15 one ! |
| 43 |
> I don't manage to install the 16 one |
| 44 |
> Thank you.. |
| 45 |
[cut] |
| 46 |
> Policy version: 15 |
| 47 |
|
| 48 |
You still want a v15 policy :) |
| 49 |
|
| 50 |
-- |
| 51 |
Chris PeBenito |
| 52 |
<pebenito@g.o> |
| 53 |
Developer, |
| 54 |
Hardened Gentoo Linux |
| 55 |
Embedded Gentoo Linux |
| 56 |
|
| 57 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 58 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives