From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 26 Jan 2010 16:46:13 +0100 Subject: [refpolicy] Building MLS/MCS policy Message-ID: <201001261546.o0QFkDMJ023435@vivaldi15.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Stephen, what I propose is to add a few lines of documentation explaining the process of switching between different policy types (see the two patches below, one for load_policy and the other for the reference policy). diff -pru policycoreutils-2.0.77/load_policy/load_policy.8 policycoreutils-2.0.77-new/load_policy/load_policy.8 --- policycoreutils-2.0.77/load_policy/load_policy.8 2009-11-19 23:16:03.000000000 +0100 +++ policycoreutils-2.0.77-new/load_policy/load_policy.8 2010-01-26 16:26:11.210178317 +0100 @@ -12,6 +12,11 @@ load_policy loads the installed policy f The existing policy boolean values are automatically preserved across policy reloads rather than being reset to the default values in the policy file. +.PP +It should be noted that it is not possible to switch between +a non-MLS/MCS policy and a MLS/MCS policy or viceversa at +runtime. To switch between such different types of policies +change the SELinux configuration and reboot the kernel. .SH "OPTIONS" .TP diff -pru refpolicy-2.20091117/README refpolicy-2.20091117-new/README --- refpolicy-2.20091117/README 2009-07-14 14:24:46.000000000 +0200 +++ refpolicy-2.20091117-new/README 2010-01-26 16:39:13.272185609 +0100 @@ -267,3 +267,14 @@ refresh Attempts to reinsert all modul xml Build a policy.xml from the XML included with the base policy headers and any XML in the modules in the current directory. + +5) Switching between different types of policies (e.g. from non-MLS to MLS) + +In order to switch from a non-MLS/non-MCS policy to a MLS or MCS policy +(and viceversa), make sure to change in build.conf not only the TYPE +parameter between the two policies but also the NAME parameter (just name +the new policy differently from the previous one). Also, after building the +new policy, in order to load it for the first time (and eventually install +custom modules), it might be necessary to reboot the kernel in permissive +mode (after having changed the SELinux configuration file to select the +new policy). Regards, Guido -------------- next part -------------- A non-text attachment was scrubbed... Name: document-switch-policy-type.patch Type: application/octet-stream Size: 774 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100126/96772652/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: document-switch-policy-type-in-reference.patch Type: application/octet-stream Size: 1024 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100126/96772652/attachment-0001.obj