Re: does load_policy default to loading the lowest polvers available?

[Stephen Smalley <sds@tycho.nsa.gov>]

On 10/14/2015 10:29 AM, Dominick Grift wrote:
> On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote:
>> On 10/14/2015 10:11 AM, Dominick Grift wrote:
>>> On Wed, Oct 14, 2015 at 09:56:04AM -0400, Stephen Smalley wrote:
>>>> On 10/14/2015 09:34 AM, Dominick Grift wrote:
>>>>>
>>>>> I had some issue that just confused me (to say the least) It seems that
>>>>> I have now solved this.
>>>>>
>>>>> There were two policy.X files in my /etc/selinux/SELINUXTYPE/policy dir,
>>>>> on 29 an one 30. The 29 seemingly had a bug in it.
>>>>>
>>>>> It seems that load_policy (or its libselinux equivalent) defaults to
>>>>> the lowest policy available (29 instead of 30 in this case)
>>>>>
>>>>> Why is that?
>>>>>
>>>>> I fixed the issue by removing the policy.29 file (i think at least)
>>>
>>>> What policy versions were supported by your kernel (cat
>>>> /sys/fs/selinux/policyvers) and by your libsepol (checkpolicy -V)?
>>>
>>> /sys/fs/selinux/policyvers says: version 30, and checkpolicy says: 29 (compatibility range 29-15)
>>>
>>> That is weird because i have the latest libsepol installed (atleast
>>> pretty recent):
>>>
>>> # rpm -qa {libsepol*,libselinux*}
>>> libselinux-utils-2.4-9999.git5aeb4c3.fc24.x86_64
>>> libselinux-2.4-9999.git5aeb4c3.fc24.x86_64
>>> libsepol-2.4-9999.git5aeb4c3.fc24.x86_64
>
>> Last release of libsepol predated policy 30 support.
>
>> However, if your kernel supports it, it should still be loaded.
>> The logic is in selinux/libselinux/src/load_policy.c:
>> selinux_mkload_policy().  With any modern kernel and configuration,
>> libselinux should not need to patch in local definitions or booleans
>> (already applied by libsemanage or preserved by the kernel), so maxvers
>> should be set to the max of the kernel version (/sys/fs/selinux/policyvers)
>> and the libsepol-supported version, and that should get loaded.
>
>> strace of load_policy might be interesting.
>
> That is the thing indeed. It works fine if i manually run
> load_policy. But when i reboot it seemed to go back to the old one. (I am
> not sure how fedora currently loads the policy)
>
> I removed the policy.29 now so i can't easily reproduce it now. and i do
> not think an strace of a manual load_policy will reveal much as that
> works fine and as expected. The problem only occurred when i rebooted
> (when fedora load policy instead of me)
>
> Ohh , hmm maybe its a fedora initramfs issue... they probably have some
> old stuff in there

AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka 
load_policy -i).  And the approach to selecting a policy version has 
been stable for quite a while, so I wouldn't expect the libselinux in 
the initramfs to differ in this respect.