F23 System Wide Change: SELinux policy store migration

Petr Lautrbach plautrba at redhat.com
Thu Jun 11 14:17:31 UTC 2015 

Dne 11.6.2015 v 14:42 Colin Walters napsal(a):
> On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote:
>> = Proposed System Wide Change: SELinux policy store migration =
>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>>
>> Change owner(s):
>> * Petr Lautrbach <plautrba at redhat dot com>
>> * Miroslav Grepl <mgrepl at redhat dot com>
>>
>> The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. 
> 
> This will need to support having an empty /var on boot in order to be compatible
> with both rpm-ostree and the systemd factory reset work.  For most of user space,
> the simplest implementation of this is to just have a systemd-tmpfiles unit that
> copies data on startup.  But policy is currently loaded very early after switch root.  This
> will require that /var be mounted too.

Actually, the policy will be still loaded from /etc/selinux/. The
migration will affect the policy store which is used for rebuilding
policy from modules and from other local changes. So a system could boot
with empty /var if it's needed.

However, we'll probably need to provide  systemd-tmpfiles units in each
selinux-policy-* subpackage to create necessary directory structure.


> It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is
> a major and unfortunate change.
> 
> The listed benefit is:
> 
>  -moving the policy store out of /etc
>     user could easily get back Factory setup by removing a directory out of /etc

The sub part is not listed anymore. And it's not even true.

> 
> Note that OSTree provides that today - all the /etc defaults are copied into
> /usr/etc, so at any point you can easily reset things.  (This is different from
> the systemd effort for an empty /etc).
> 
> It seems far simpler to just keep things in /etc, but teach the tools to read
> /usr.  Then *only if* I create a custom local policy, my changes are tracked
> in /etc, and the local compiled policy file lives there too.
> 

Thanks for your comments,

Petr
-- 
Petr Lautrbach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150611/26a96523/attachment.sig>

More information about the devel mailing list