Could all of this be done with links? IE Could you install selinux-policy into
/usr/share/selinux/TARGETED/base/*.pp
/usr/share/selinux/TARGETED/custom/*.pp

Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators?

On 06/15/2015 05:15 AM, Petr Lautrbach wrote:

Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):

On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl@redhat.com) wrote:

On 06/12/2015 12:17 PM, Lennart Poettering wrote:

On Thu, 11.06.15 06:51, Jan Kurik (jkurik@redhat.com) wrote:

= Proposed System Wide Change: SELinux policy store migration =
https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration

I cannot make sense of this with my limited selinux knowledge, could
you please elaborate on this on the changes page for people like me
who only have a superficial understanding of selinux?

Yeap, we are working on it.

Basically the binary policy file
(/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
SELinux policy modules. These modules are currently located in
/etc/selinux/targeted/modules and we call it as a "module store". This
store is now moved to /var/lib/selinux/targeted/modules. This only
affects tools like semanage, semodule which are used for a policy
manipulation. So we are able to boot without /var also from SELinux
point of view.

Why /var and not /usr?

If these module files are shipped with RPMs as vendor versions they
belong in /usr, no?

What makes this approproate for moving them to /var?

Albeit modules are shipped with RPM, SELinux tools (semanage, semodule)
work on this storage to make intended changes. When you enable or
disable modules, when you install modules, when you do changes in
SELinux users, logins and booleans, it's done in SELinux store.



Petr