Building and Applying the Policy

The policy configuration is compiled into a binary representation that can be loaded into the kernel. In addition to compiling and loading the policy, filesystems must be labeled appropriately in order for the policy to be applied to a system. This section describes how the policy is compiled and loaded, and how the file contexts configuration is applied to the filesystem.

Compiling and Loading the Policy

The policy configuration sources must be compiled into a binary representation before it can be read by the kernel. The compilation is performed by running make policy in the /etc/selinux/(strict|targeted)/src/policy directory. The compilation involves three steps. First, the example policy configuration files are concatenated togther. Second, the m4 macro processor is applied to the resulting concatenation to expand macros, yielding the policy.conf file. The checkpolicy policy compiler is then run on this file to generate the binary representation in the policy.VERSION file, where VERSION represents the version number.

The policy.VERSION file can be installed into the /etc/selinux/(strict|targeted)/policy directory by running make install. The policy will then be loaded into the kernel when the kernel is next rebooted. If a runtime policy change is desired (and authorized by the policy configuration), then the make load command can be run to load the policy into a running kernel.

Applying the File Contexts Configuration

The file contexts configuration must be applied to the filesystem, creating or updating the extended attributes, before the extended attributes can be used by the kernel. The extended attributes can be created or updated by running make relabel in the policy source directory or alternatively by running fixfiles relabel. The fixfiles script is a contributed front-end wrapper for the setfiles program that applies setfiles to the installed file contexts configuration and all mounted filesystems that support the security extended attributes. After SELinux has been installed, the extended attributes in each filesystem are maintained dynamically by the SELinux kernel to reflect create, delete, and relabel operations. However, fixfiles relabel can be run at any time to update the extended attributes with a new file contexts configuration or to reset the mappings to the original configuration.

The contributed restorecon utility can be run to restore a specific list of files to their original settings from the file contexts configuration. restorecon can also be applied recursively via the -R option, but this is not the default behavior, unlike setfiles. Certain options to the fixfiles script use this utility internally rather than setfiles in order to apply selective relabeling.

The chcon utility program can also be used to set the security context of a file to a specified value. The usage of this utility is similar to the chown or chmod utilities. Unlike restorecon or setfiles, chcon allows the specific security context to be specified rather than consulting the file contexts configuration, thereby allowing for customization of specific files to more specific security contexts than the defaults.