On 06/12/2015 12:17 PM, Lennart Poettering wrote:
On Thu, 11.06.15 06:51, Jan Kurik (jkurik(a)redhat.com) wrote:
> = Proposed System Wide Change: SELinux policy store migration =
>
https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
I cannot make sense of this with my limited selinux knowledge, could
you please elaborate on this on the changes page for people like me
who only have a superficial understanding of selinux?
Yeap, we are working on it.
Basically the binary policy file
(/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
SELinux policy modules. These modules are currently located in
/etc/selinux/targeted/modules and we call it as a "module store". This
store is now moved to /var/lib/selinux/targeted/modules. This only
affects tools like semanage, semodule which are used for a policy
manipulation. So we are able to boot without /var also from SELinux
point of view.
Thanks,
Mirek
For example:
What is the "policy store"? Is that the compiled policy blob uploaded
into the kernel? And if not, what is it?
We support /var being split off and be mounted only very late at
boot. Is that a problem for this proposal, and if not, why not?
Does this require changes in systemd? Does this require changes
anywhere in the core OS, outside of selinux' own userspace?
And so on...
Lennart
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.