Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




7.2. What Happens During Policy Build

There are multiple events during policy build, some depending on which make target you choose. The end result is a binary policy file, with several ancillary files created in the process, including policy.conf. The compilation itself follows the same essential steps regardless of the make target:

  1. All of the configuration files from the $SELINUX_SRC/ tree that are used in the policy are concatenated together. This is a pre-processed state.

    The source configuration files are discussed extensively in Chapter 2 SELinux Policy Overview. The basic qualification for inclusion is to have a TE file in $SELINUX_SRC/domains/, but not in the domains/unused/ directory.

  2. The m4 pre-processor takes the aggregate configuration input and expands the macros, making the policy.conf file.

  3. The checkpolicy policy compiler runs against policy.conf, resulting in the policy.<XY> binary policy file being created. This file is installed into $SELINUX_POLICY/, where it will be picked up on next system boot. Some make targets load the policy into memory during runtime. The make policy command builds the policy and puts the binary policy file in the source directory, $SELINUX_SRC/policy.<XY>.

During the compilation, several files and a directory are created or updated. The most important is $SELINUX_SRC/policy.conf. Also in the $SELINUX_SRC/ directory is tmp/, which contains temporary build files, including load. This file is a zero-byte file that is used by the Makefile to determine the time the policy was last loaded. Finally, the file $SELINUX_SRC/file_contexts/file_contexts is created, which is a concatenation of all of the various file contexts files in the source tree.

At the heart of the compilation is checkpolicy. This tool compiles the policy into its binary form, and can also be used to validate the policy. Policy compilation is best left to the Makefile to handle, but you can gain some insight into any binary policy file using checkpolicy:

# By itself, checkpolicy looks for a policy.conf file in the
# current working directory, which might normally be $SELINUX_SRC/.

checkpolicy:  loading policy configuration from policy.conf
security:  3 users, 4 roles, 316 types, 20 bools
security:  53 classes, 9815 rules
checkpolicy:  policy configuration loaded

# You can specify a binary policy file with -b:

checkpolicy -b $SELINUX_POLICY/policy.18
checkpolicy:  loading policy configuration from \
security:  3 users, 4 roles, 316 types, 20 bools
security:  53 classes, 9817 rules
checkpolicy:  policy configuration loaded

  Published under the terms of the GNU General Public License Design by Interspire