There are multiple events during policy build, some depending on which make target you choose. The end result is a binary policy file, with several ancillary files created in the process, including policy.conf. The compilation itself follows the same essential steps regardless of the make target:
All of the configuration files from the $SELINUX_SRC/ tree that are used in the policy are concatenated together. This is a pre-processed state.
The source configuration files are discussed extensively in Chapter 2 SELinux Policy Overview. The basic qualification for inclusion is to have a TE file in $SELINUX_SRC/domains/, but not in the domains/unused/ directory.
The m4 pre-processor takes the aggregate configuration input and expands the macros, making the policy.conf file.
The checkpolicy policy compiler runs against policy.conf, resulting in the policy.<XY> binary policy file being created. This file is installed into $SELINUX_POLICY/, where it will be picked up on next system boot. Some make targets load the policy into memory during runtime. The make policy command builds the policy and puts the binary policy file in the source directory, $SELINUX_SRC/policy.<XY>.
During the compilation, several files and a directory are created or updated. The most important is $SELINUX_SRC/policy.conf. Also in the $SELINUX_SRC/ directory is tmp/, which contains temporary build files, including load. This file is a zero-byte file that is used by the Makefile to determine the time the policy was last loaded. Finally, the file $SELINUX_SRC/file_contexts/file_contexts is created, which is a concatenation of all of the various file contexts files in the source tree.
At the heart of the compilation is checkpolicy. This tool compiles the policy into its binary form, and can also be used to validate the policy. Policy compilation is best left to the Makefile to handle, but you can gain some insight into any binary policy file using checkpolicy:
# By itself, checkpolicy looks for a policy.conf file in the # current working directory, which might normally be $SELINUX_SRC/. cd $SELINUX_SRC/ checkpolicy checkpolicy: loading policy configuration from policy.conf security: 3 users, 4 roles, 316 types, 20 bools security: 53 classes, 9815 rules checkpolicy: policy configuration loaded # You can specify a binary policy file with -b: checkpolicy -b $SELINUX_POLICY/policy.18 checkpolicy: loading policy configuration from \ /etc/selinux/targeted/policy/policy.18 security: 3 users, 4 roles, 316 types, 20 bools security: 53 classes, 9817 rules checkpolicy: policy configuration loaded |