selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Building MLS/MCS policy

Re: Building MLS/MCS policy

From: Guido Trentalancia <guido_at_nospam>
Date: Tue Jan 26 2010 - 15:46:13 GMT
To: Stephen Smalley <>


what I propose is to add a few lines of documentation explaining the process of switching between different policy types (see the two patches below, one for load_policy and the other for the reference policy).

diff -pru policycoreutils-2.0.77/load_policy/load_policy.8 policycoreutils-2.0.77-new/load_policy/load_policy.8 --- policycoreutils-2.0.77/load_policy/load_policy.8 2009-11-19 23:16:03.000000000 +0100
+++ policycoreutils-2.0.77-new/load_policy/load_policy.8 2010-01-26 16:26:11.210178317 +0100
@@ -12,6 +12,11 @@ load_policy loads the installed policy f  The existing policy boolean values are automatically preserved  across policy reloads rather than being reset to the default  values in the policy file.
+It should be noted that it is not possible to switch between
+a non-MLS/MCS policy and a MLS/MCS policy or viceversa at
+runtime. To switch between such different types of policies
+change the SELinux configuration and reboot the kernel.


diff -pru refpolicy-2.20091117/README refpolicy-2.20091117-new/README --- refpolicy-2.20091117/README 2009-07-14 14:24:46.000000000 +0200
+++ refpolicy-2.20091117-new/README 2010-01-26 16:39:13.272185609 +0100
@@ -267,3 +267,14 @@ refresh Attempts to reinsert all modul xml Build a policy.xml from the XML included with the base policy headers and any XML in the modules in the current directory.
+5) Switching between different types of policies (e.g. from non-MLS to MLS)
+In order to switch from a non-MLS/non-MCS policy to a MLS or MCS policy
+(and viceversa), make sure to change in build.conf not only the TYPE
+parameter between the two policies but also the NAME parameter (just name
+the new policy differently from the previous one). Also, after building the
+new policy, in order to load it for the first time (and eventually install
+custom modules), it might be necessary to reboot the kernel in permissive
+mode (after having changed the SELinux configuration file to select the
+new policy).



-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.