5. Building and Applying the Policy

The policy configuration is compiled into a binary representation that can be loaded by the example security server. In addition to compiling and loading the policy, filesystems must be labeled appropriately in order for the policy to be applied to a system. This section describes how the policy is compiled and loaded, and how the file contexts configuration is applied to the filesystem.

5.1. Compiling and Loading the Policy

The example policy configuration must be compiled into a binary representation before it can be read by the example security server. The compilation is performed by running make in the policy directory. The compilation involves three steps. First, the example policy configuration files are concatenated togther. Second, the m4 macro processor is applied to the resulting concatenation to expand macros, yielding the policy.conf file. The checkpolicy policy compiler is then run on this file to generate the binary representation in the policy.VERSION file, where VERSION represents the version number.

The policy.VERSION file can be installed into the /etc/security/selinux directory by running make install. The policy will then be loaded by the example security server when the kernel is next rebooted. If a runtime policy change is desired (and authorized by the policy configuration), then the make load command can be run to load the policy into a running kernel. In the example policy configuration, dynamically reloading the policy can only be done by the sysadm_t domain.

5.2. Applying the File Contexts Configuration

The file contexts configuration must be applied to the filesystem, creating or updating the persistent label mappings, before it is used by the kernel. The persistent label mappings can be created or updated by running make relabel in the policy directory. This command involves two steps. The file contexts configuration files under the file_contexts subdirectory are first concatenated together to form the file_contexts/file_contexts specification file. The setfiles utility is run on this specification file, applying the file security contexts to all mounted ext2, ext3, or reiserfs filesystems. This is initially done during installation.

After SELinux has been installed, the persistent label mapping in each filesystem is maintained dynamically by the SELinux kernel to reflect create, delete, and relabel operations. However, make relabel can be run on the SELinux kernel to update the persistent label mappings with a new file contexts configuration or to reset the mappings to the original configuration. When run on a SELinux kernel, the setfiles utility uses the new SELinux system calls to set the file security contexts rather than directly accessing the mapping. Naturally, directly accessing the mapping would be dangerous, since it would not update the kernel's internal state and it could conflict with accesses by the kernel.

A variant of the make relabel command is the make reset command. This command runs the setfiles utility with the -R option, which forces it to directly create new mappings from scratch even when running on a SELinux kernel. Any existing mappings are moved aside and will continue to be used by a running SELinux kernel until the kernel is rebooted. If an ordinary Linux kernel is running and no mappings already exist, then make reset is equivalent to make relabel. This command is used by the installation procedure to initialize the mappings for the newly installed (but not yet loaded) policy regardless of whether the existing system is running an ordinary Linux kernel or a SELinux kernel with an older policy. When the system is subsequently rebooted, the new policy and the new mappings take affect together. This approach avoids potential problems with incompatibilities between the old and new policies during the installation.

The setfiles utility can be run with the -s option to read a list of pathnames from standard input and only relabel the listed files based on the file contexts configuration rather than traversing an entire filesystem. This option is useful for relabeling a specific set of files, e.g. upon installing or upgrading a package. The chcon file utility or the chsid test program can also be used to set the security context of a file when running on the SELinux kernel. These programs use the new SELinux system calls and only work on a SELinux kernel. The usage of these programs is similar to the chown or chmod utilities. However, it is generally desirable to update the file contexts configuration to reflect any changes made using these programs so that these changes will not be lost upon subsequent executions of make relabel.