On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl(a)redhat.com) wrote:
On 06/12/2015 12:17 PM, Lennart Poettering wrote:
> On Thu, 11.06.15 06:51, Jan Kurik (jkurik(a)redhat.com) wrote:
>
>> = Proposed System Wide Change: SELinux policy store migration =
>>
https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>
> I cannot make sense of this with my limited selinux knowledge, could
> you please elaborate on this on the changes page for people like me
> who only have a superficial understanding of selinux?
Yeap, we are working on it.
Basically the binary policy file
(/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
SELinux policy modules. These modules are currently located in
/etc/selinux/targeted/modules and we call it as a "module store". This
store is now moved to /var/lib/selinux/targeted/modules. This only
affects tools like semanage, semodule which are used for a policy
manipulation. So we are able to boot without /var also from SELinux
point of view.
Why /var and not /usr?
If these module files are shipped with RPMs as vendor versions they
belong in /usr, no?
What makes this approproate for moving them to /var?
Lennart
--
Lennart Poettering, Red Hat