selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Building MLS/MCS policy

Re: Building MLS/MCS policy

From: Guido Trentalancia <guido_at_nospam>
Date: Tue Jan 26 2010 - 15:46:13 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>


Stephen,

what I propose is to add a few lines of documentation explaining the process of switching between different policy types (see the two patches below, one for load_policy and the other for the reference policy).

diff -pru policycoreutils-2.0.77/load_policy/load_policy.8 policycoreutils-2.0.77-new/load_policy/load_policy.8 --- policycoreutils-2.0.77/load_policy/load_policy.8 2009-11-19 23:16:03.000000000 +0100
+++ policycoreutils-2.0.77-new/load_policy/load_policy.8 2010-01-26 16:26:11.210178317 +0100
@@ -12,6 +12,11 @@ load_policy loads the installed policy f  The existing policy boolean values are automatically preserved  across policy reloads rather than being reset to the default  values in the policy file.
+.PP
+It should be noted that it is not possible to switch between
+a non-MLS/MCS policy and a MLS/MCS policy or viceversa at
+runtime. To switch between such different types of policies
+change the SELinux configuration and reboot the kernel.

 .SH "OPTIONS"
 .TP

diff -pru refpolicy-2.20091117/README refpolicy-2.20091117-new/README --- refpolicy-2.20091117/README 2009-07-14 14:24:46.000000000 +0200
+++ refpolicy-2.20091117-new/README 2010-01-26 16:39:13.272185609 +0100
@@ -267,3 +267,14 @@ refresh Attempts to reinsert all modul xml Build a policy.xml from the XML included with the base policy headers and any XML in the modules in the current directory.
+
+5) Switching between different types of policies (e.g. from non-MLS to MLS)
+
+In order to switch from a non-MLS/non-MCS policy to a MLS or MCS policy
+(and viceversa), make sure to change in build.conf not only the TYPE
+parameter between the two policies but also the NAME parameter (just name
+the new policy differently from the previous one). Also, after building the
+new policy, in order to load it for the first time (and eventually install
+custom modules), it might be necessary to reboot the kernel in permissive
+mode (after having changed the SELinux configuration file to select the
+new policy).

Regards,

Guido

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.