Dne 11.6.2015 v 14:42 Colin Walters napsal(a):
On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote:
> = Proposed System Wide Change: SELinux policy store migration =
>
https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>
> Change owner(s):
> * Petr Lautrbach <plautrba at redhat dot com>
> * Miroslav Grepl <mgrepl at redhat dot com>
>
> The newest SELinux userspace project release 2015-02-02 includes a change of the
location of the SELinux policy store, which defaults to /var/lib/selinux/.
This will need to support having an empty /var on boot in order to be compatible
with both rpm-ostree and the systemd factory reset work. For most of user space,
the simplest implementation of this is to just have a systemd-tmpfiles unit that
copies data on startup. But policy is currently loaded very early after switch root.
This
will require that /var be mounted too.
Actually, the policy will be still loaded from /etc/selinux/. The
migration will affect the policy store which is used for rebuilding
policy from modules and from other local changes. So a system could boot
with empty /var if it's needed.
However, we'll probably need to provide systemd-tmpfiles units in each
selinux-policy-* subpackage to create necessary directory structure.
It will also mean rpm-ostree rollbacks by default won't affect
the selinux policy, which is
a major and unfortunate change.
The listed benefit is:
-moving the policy store out of /etc
user could easily get back Factory setup by removing a directory out of /etc
The sub part is not listed anymore. And it's not even true.
Note that OSTree provides that today - all the /etc defaults are copied into
/usr/etc, so at any point you can easily reset things. (This is different from
the systemd effort for an empty /etc).
It seems far simpler to just keep things in /etc, but teach the tools to read
/usr. Then *only if* I create a custom local policy, my changes are tracked
in /etc, and the local compiled policy file lives there too.
Thanks for your comments,
Petr
--
Petr Lautrbach