F23 System Wide Change: SELinux policy store migration
Miroslav Grepl
mgrepl at redhat.com
Fri Jun 12 17:00:32 UTC 2015
On 06/12/2015 12:17 PM, Lennart Poettering wrote:
> On Thu, 11.06.15 06:51, Jan Kurik (jkurik at redhat.com) wrote:
>
>> = Proposed System Wide Change: SELinux policy store migration =
>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>
> I cannot make sense of this with my limited selinux knowledge, could
> you please elaborate on this on the changes page for people like me
> who only have a superficial understanding of selinux?
Yeap, we are working on it.
Basically the binary policy file
(/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
SELinux policy modules. These modules are currently located in
/etc/selinux/targeted/modules and we call it as a "module store". This
store is now moved to /var/lib/selinux/targeted/modules. This only
affects tools like semanage, semodule which are used for a policy
manipulation. So we are able to boot without /var also from SELinux
point of view.
Thanks,
Mirek
>
> For example:
>
> What is the "policy store"? Is that the compiled policy blob uploaded
> into the kernel? And if not, what is it?
>
> We support /var being split off and be mounted only very late at
> boot. Is that a problem for this proposal, and if not, why not?
>
> Does this require changes in systemd? Does this require changes
> anywhere in the core OS, outside of selinux' own userspace?
>
> And so on...
>
> Lennart
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
More information about the devel
mailing list