- SELinux Enhancements.
SELinux policy package now includes a pre-built policy that will only rebuild policy if any customizations have been made. A sample test run shows 4 times speedup on installing the package from 48 Seconds to 12 Seconds and max memory usage from 38M to 6M. In addition to that, SELinux file name transition allows better policy management. For instance, policy writers can take advantage of this and write a policy rule that states, if a SELinux unconfined process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled appropriately. This results is less chances of mislabeled files. Also, from this release onwards, selinuxfs is mounted at /sys/fs/selinux instead of in /selinux. All the affected components including anaconda, dracut, livecd-tools and policycoreutils have been modified to work with this change.
Pre-Built Policy
We made major changes to the selinux-policy-TYPE rpm. (selinux-policy-targeted-3.10.0-21.fc16)
The rpm now includes a pre-built /etc/selinux/targeted/policy/policy.26.
I reworked the tools to include the policy packages within the payload and now the package will check in the pre-install if there was any local customizations, if yes, the post install will recompile the policy, but if not the policy will just install.
We also used to have to ship all of the policy modules, over 300, in the directory /usr/share/selinux/targeted and these would be copied into /etc/selinux/targeted/modules/active/, were we would never touch the files in /usr/share/selinux/targeted again. Now we install directly into /etc/selinux/targeted/modules/active/.
What you should see is faster initial installs and faster selinux-package updates. In Fedora 15 a policy-package update would take around 45-50 seconds, in Fedora 16 on an unmodified selinux-policy system it should take < 15 seconds. If you are updating from Fedora 15 the first time, it will still take a long time, but the next update should go quick. If you have modified the SELinux system by adding pp
files you will still see the recompile times that you always have. :^(
Building a monolithic policy
2011-09-20 03:12 pm (UTC)
I have read and followed your blogs and found a lot of good tips.
I would like to know if you have blog that show how to build a monolithic policy.
I have tried but failed to build a monolithic policy with a RHEL6 policy source v3.7.19. I have tried three different ways:
1. Edited selinux-policy.spec and set "%define monolithic y". I got this compiling error
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=y POLY=y MLS_CATS=1024 MCS_CATS=1024 base.pp
make: *** No rule to make target `base.pp'
Obviously, the spec was written for build modular policy only.
2. Modified build.conf, set MONOLITHIC = y, and built from command line "make policy". I got this error
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/apps/gitosis.te":10:ERROR 'syntax error' at token 'typeattribute' on line 2132630:
typeattribute gitosis_t application_domain_type;
#line 10
checkpolicy: error(s) encountered while parsing configuration
3. Modified policy/modules.conf, set all modules to "base", and built from command line "make policy. I got the same error as in 2.
Do you know if building a monolithic policy is still supported and what is the proper steps to do that?
Thank you very much.
--lamsao