On Mon, 15.06.15 11:15, Petr Lautrbach (plautrba(a)redhat.com) wrote:
Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):
> On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl(a)redhat.com) wrote:
>
>> On 06/12/2015 12:17 PM, Lennart Poettering wrote:
>>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik(a)redhat.com) wrote:
>>>
>>>> = Proposed System Wide Change: SELinux policy store migration =
>>>>
https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>>>
>>> I cannot make sense of this with my limited selinux knowledge, could
>>> you please elaborate on this on the changes page for people like me
>>> who only have a superficial understanding of selinux?
>>
>> Yeap, we are working on it.
>>
>> Basically the binary policy file
>> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
>> SELinux policy modules. These modules are currently located in
>> /etc/selinux/targeted/modules and we call it as a "module store".
This
>> store is now moved to /var/lib/selinux/targeted/modules. This only
>> affects tools like semanage, semodule which are used for a policy
>> manipulation. So we are able to boot without /var also from SELinux
>> point of view.
>
> Why /var and not /usr?
>
> If these module files are shipped with RPMs as vendor versions they
> belong in /usr, no?
>
> What makes this approproate for moving them to /var?
>
Albeit modules are shipped with RPM, SELinux tools (semanage, semodule)
work on this storage to make intended changes. When you enable or
disable modules, when you install modules, when you do changes in
SELinux users, logins and booleans, it's done in SELinux store.
Hmm, I am really not a fan of packages that ship static vendor payload
in /var. That sounds really wrong. Can't you make this work so that
only the admin changes end up in /var, but the static data from the
vendor stays unmodified in /usr? i.e. so that the selinux tools read
from both directories, and data from /var when in doubt overrides the
one from /usr?
The reason I am asking for this: with the stateless system logic we in
the systemd project and the Atomic folks work on we kinda want to
ensure that /var only contains data that can be reconstructed at boot
if necessary, and is hence "unessential". This is useful to implement
stateless systems and "factory reset" operations, where /var is empty
on every boot or /var is simply flushed out at times.
Hence: vendor data that stays static should stay in /usr please, and
only local changes should end up in /var.
(Note thought that we never asked Fedora formally to support a scheme
like this, hence what Atomic and we have in mind there is in no way a
Fedora goal so far, but it would be nice to support this anyway...)
Lennart
--
Lennart Poettering, Red Hat