The policy configuration is compiled into a binary representation that can be loaded by the example security server. In addition to compiling and loading the policy, filesystems must be labeled appropriately in order for the policy to be applied to a system. This section describes how the policy is compiled and loaded, and how the file contexts configuration is applied to the filesystem.
The example policy configuration must be compiled into a binary representation before it can be read by the example security server. The compilation is performed by running make in the policy directory. The compilation involves three steps. First, the example policy configuration files are concatenated togther. Second, the m4 macro processor is applied to the resulting concatenation to expand macros, yielding the policy.conf file. The checkpolicy policy compiler is then run on this file to generate the binary representation in the policy.VERSION file, where VERSION represents the version number.
The policy.VERSION file can be installed into the
/etc/security/selinux directory by running make
install. The policy will then be loaded by the example
security server when the kernel is next rebooted. If a runtime policy
change is desired (and authorized by the policy configuration), then
the make load command can be run to load the policy
into a running kernel. In the example policy configuration,
dynamically reloading the policy can only be done by the
sysadm_t
domain.
The file contexts configuration must be applied to the filesystem, creating or updating the persistent label mappings, before it is used by the kernel. The persistent label mappings can be created or updated by running make relabel in the policy directory. This command involves two steps. The file contexts configuration files under the file_contexts subdirectory are first concatenated together to form the file_contexts/file_contexts specification file. The setfiles utility is run on this specification file, applying the file security contexts to all mounted ext2, ext3, or reiserfs filesystems. This is initially done during installation.
After SELinux has been installed, the persistent label mapping in each filesystem is maintained dynamically by the SELinux kernel to reflect create, delete, and relabel operations. However, make relabel can be run on the SELinux kernel to update the persistent label mappings with a new file contexts configuration or to reset the mappings to the original configuration. When run on a SELinux kernel, the setfiles utility uses the new SELinux system calls to set the file security contexts rather than directly accessing the mapping. Naturally, directly accessing the mapping would be dangerous, since it would not update the kernel's internal state and it could conflict with accesses by the kernel.
A variant of the make relabel command is the
make reset command. This command runs the
setfiles utility with the -R
option, which forces it to directly create new mappings from scratch
even when running on a SELinux kernel. Any existing mappings are
moved aside and will continue to be used by a running SELinux kernel
until the kernel is rebooted. If an ordinary Linux kernel is running
and no mappings already exist, then make reset is
equivalent to make relabel. This command is used
by the installation procedure to initialize the mappings for the newly
installed (but not yet loaded) policy regardless of whether the
existing system is running an ordinary Linux kernel or a SELinux
kernel with an older policy. When the system is subsequently
rebooted, the new policy and the new mappings take affect together.
This approach avoids potential problems with incompatibilities between
the old and new policies during the installation.
The setfiles utility can be run with the
-s
option to read a list of pathnames from
standard input and only relabel the listed files based on the file
contexts configuration rather than traversing an entire filesystem.
This option is useful for relabeling a specific set of files,
e.g. upon installing or upgrading a package. The
chcon file utility or the chsid
test program can also be used to set the security context of a file
when running on the SELinux kernel. These programs use the new
SELinux system calls and only work on a SELinux kernel. The usage of
these programs is similar to the chown or
chmod utilities. However, it is generally
desirable to update the file contexts configuration to reflect any
changes made using these programs so that these changes will not be
lost upon subsequent executions of make relabel.