getpolicyload returns 0, 2, 3, 4, ...

getpolicyload returns 0, 2, 3, 4, ...

[Petr Lautrbach]

Hi,

Milos Malik noticed [0] that getpolicyload "skippes" 1 after first
`semodule -R`:


[root@fedora ~]# getpolicyload
0
[root@fedora ~]# semodule -R
[root@fedora ~]# getpolicyload
2
[root@fedora ~]# semodule -R
[root@fedora ~]# getpolicyload
3
[root@fedora ~]# semodule -R
[root@fedora ~]# getpolicyload
4

why it's like that?

It looks like increased sequence is not propagated after first
policyload and it's propagated to the status after the second
policyload.


[0] https://src.fedoraproject.org/tests/selinux/pull-request/451#comment-168398

Re: getpolicyload returns 0, 2, 3, 4, ...

[William Roberts]

On Tue, Nov 21, 2023 at 2:27 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> Hi,
>
> Milos Malik noticed [0] that getpolicyload "skippes" 1 after first
> `semodule -R`:
>
>
> [root@fedora ~]# getpolicyload
> 0
> [root@fedora ~]# semodule -R
> [root@fedora ~]# getpolicyload
> 2
> [root@fedora ~]# semodule -R
> [root@fedora ~]# getpolicyload
> 3
> [root@fedora ~]# semodule -R
> [root@fedora ~]# getpolicyload
> 4
>
> why it's like that?
>
> It looks like increased sequence is not propagated after first
> policyload and it's propagated to the status after the second
> policyload.
>
>
> [0] https://src.fedoraproject.org/tests/selinux/pull-request/451#comment-168398
>

it may not be one, but never zero, so its ok to skip 1 per this comment:
  - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L57

On the creation of the page, the policyload is set to 0, on updates,
the seqno is used:
  - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L104

Definitely odd behavior, but seems expected. I just don't know why
seqno isn't used on page creation.

Bill

Re: getpolicyload returns 0, 2, 3, 4, ...

[Christian Göttsche]

On Wed, 22 Nov 2023 at 19:33, William Roberts <bill.c.roberts@gmail.com> wrote:
>
> On Tue, Nov 21, 2023 at 2:27 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >
> > Hi,
> >
> > Milos Malik noticed [0] that getpolicyload "skippes" 1 after first
> > `semodule -R`:
> >
> >
> > [root@fedora ~]# getpolicyload
> > 0
> > [root@fedora ~]# semodule -R
> > [root@fedora ~]# getpolicyload
> > 2
> > [root@fedora ~]# semodule -R
> > [root@fedora ~]# getpolicyload
> > 3
> > [root@fedora ~]# semodule -R
> > [root@fedora ~]# getpolicyload
> > 4
> >
> > why it's like that?
> >
> > It looks like increased sequence is not propagated after first
> > policyload and it's propagated to the status after the second
> > policyload.
> >
> >
> > [0] https://src.fedoraproject.org/tests/selinux/pull-request/451#comment-168398
> >
>
> it may not be one, but never zero, so its ok to skip 1 per this comment:
>   - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L57
>
> On the creation of the page, the policyload is set to 0, on updates,
> the seqno is used:
>   - https://elixir.bootlin.com/linux/latest/source/security/selinux/status.c#L104
>
> Definitely odd behavior, but seems expected. I just don't know why
> seqno isn't used on page creation.
>
> Bill

The initial policy load will call selinux_status_update_policyload(1),
trying to set the sequence number to 1, but probably the status page
is not yet allocated.
It is only allocated on first access of /selinux/status (see
selinuxfs.c:sel_open_handle_status()).