1 |
For those SELinux users unfamiliar, the compiled policy is versioned. |
2 |
The first version that was merged into 2.6 months ago, and also is in |
3 |
the 2.4 backports has been version 15. The version number only has to |
4 |
be incremented when new features are added that require changes to the |
5 |
structure of the compiled policy. In 2.6.5, conditional policy |
6 |
extensions have been added. These "policy booleans" enable and disable |
7 |
policy rules at runtime, without reloading the policy (the ability to |
8 |
enable or disable a boolean is, of course, controlled by policy). This |
9 |
required a bump to version 16. In 2.6.6-rc1, ipv6 support has been |
10 |
added, requiring a bump to version 17. Normally, the policy versions |
11 |
don't get bumped quickly like this, but the NSA and friends are hard at |
12 |
work adding things, lately. |
13 |
|
14 |
How does this affect Gentoo SELinux users? The new 2004.1 profiles will |
15 |
be the first to have a policy compiler that can compile different policy |
16 |
versions. The only adjustment needed is in the policy Makefile |
17 |
(starting with base-policy 20040418). In the Makefile, around line 23 |
18 |
there is a line that looks like this: |
19 |
|
20 |
POLICYCOMPAT = -c 15 |
21 |
|
22 |
Normally, checkpolicy 1.10 will create a policy for the current version |
23 |
(17). With the above option uncommented, a compatibility policy can be |
24 |
created. The above statement will create version 15 policy, and it can |
25 |
be changed to 16. To compile a version 17 policy, this statement should |
26 |
be commented out. |
27 |
|
28 |
How can I tell which version policy my kernel supports? There are |
29 |
several ways to determine the kernel's policy version. A change to the |
30 |
kernel eclass has been made that will display the policy version that |
31 |
the kernel expects: |
32 |
|
33 |
* The SELinux policy version of this kernel is 16. |
34 |
|
35 |
The policy version of the current kernel can be determined by running |
36 |
sestatus, or run `policyvers`. On a side note, current kernels can load |
37 |
the previous version policy, for compatibility (v17 can load v16), but |
38 |
this may change in the future. |
39 |
|
40 |
On Mon, 2004-04-19 at 05:26, fanfan wrote: |
41 |
> HI all, I have made all the things it sould be done in order to update |
42 |
> my SELinux but the policy is still the 15 one ! |
43 |
> I don't manage to install the 16 one |
44 |
> Thank you.. |
45 |
[cut] |
46 |
> Policy version: 15 |
47 |
|
48 |
You still want a v15 policy :) |
49 |
|
50 |
-- |
51 |
Chris PeBenito |
52 |
<pebenito@g.o> |
53 |
Developer, |
54 |
Hardened Gentoo Linux |
55 |
Embedded Gentoo Linux |
56 |
|
57 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
58 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |