From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 26 Jan 2010 17:01:17 +0100
Subject: [refpolicy] Building MLS/MCS policy
Message-ID: <201001261601.o0QG1HYo030826@vivaldi39.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Stephen,

> If libsemanage encounters an error at any point during the
> update transaction, it rolls back to the previous policy as
> a safety measure so that your system will still have a
> known working policy in place.  So when it failed to load
> the MCS policy into the kernel, it performed the rollback.

Yes, the first point definitely makes sense.

> Using a different store name disables automatic loading of
> the policy since it isn't your active policy store (as
> defined by your /etc/selinux/config), and thus avoids the
> problem.  The other solution would have been to pass -n to
> semodule to disable automatic loading of the new policy.

This second point is a bit more difficult to understand at first. Especially because, when I was not changing the name, the new MCS policy didn't even load after rebooting (i.e. doing "make install", "make load", the latter fails so reboot and then eventually try doing again "make load" after reboot which fails again). In particular, I still don't understand why after rebooting it failed to load the new policy even though "make install" succeeded...

Anyway, what do you think about the two notes in the documentation ?

Regards,

Guido