From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: Re: does load_policy default to loading the lowest polvers available?
Date: Wed, 14 Oct 2015 09:56:04 -0400 [thread overview]
Message-ID: <561E5EF4.9080606@tycho.nsa.gov> (raw)
In-Reply-To: <20151014133408.GA5222@x250>
On 10/14/2015 09:34 AM, Dominick Grift wrote:
>
> I had some issue that just confused me (to say the least) It seems that
> I have now solved this.
>
> There were two policy.X files in my /etc/selinux/SELINUXTYPE/policy dir,
> on 29 an one 30. The 29 seemingly had a bug in it.
>
> It seems that load_policy (or its libselinux equivalent) defaults to
> the lowest policy available (29 instead of 30 in this case)
>
> Why is that?
>
> I fixed the issue by removing the policy.29 file (i think at least)
What policy versions were supported by your kernel (cat
/sys/fs/selinux/policyvers) and by your libsepol (checkpolicy -V)?
load_policy will try to use the highest policy version that is supported
by the kernel or by your libsepol. If supported by the kernel, it can
just load the file directly. Otherwise, it can use libsepol to
downgrade the policy to the highest version supported by the kernel and
then load the result. If the version is not supported by either the
kernel or your libsepol, then it cannot be loaded and it will fall back
to an older version.
next prev parent reply other threads:[~2015-10-14 13:56 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-14 13:34 does load_policy default to loading the lowest polvers available? Dominick Grift
2015-10-14 13:56 ` Stephen Smalley [this message]
2015-10-14 14:11 ` Dominick Grift
2015-10-14 14:17 ` Stephen Smalley
2015-10-14 14:29 ` Dominick Grift
2015-10-14 15:44 ` Stephen Smalley
2015-10-14 15:48 ` Dominick Grift
2015-10-14 16:05 ` Stephen Smalley
2015-10-14 16:26 ` Dominick Grift
2015-10-14 16:41 ` Dominick Grift
2015-10-14 16:53 ` Stephen Smalley
2015-10-14 17:34 ` Dominick Grift
2015-10-14 17:38 ` Dominick Grift
2015-10-14 17:40 ` Stephen Smalley
2015-10-14 17:51 ` Dominick Grift
2015-10-14 18:07 ` Dominick Grift
2015-10-14 20:30 ` Christopher J. PeBenito
2015-10-14 20:34 ` Dominick Grift
2015-10-15 11:58 ` Richard Haines
2015-10-15 12:08 ` Dominick Grift
2015-10-14 18:52 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2015-11-26 16:51 Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=561E5EF4.9080606@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.