F23 System Wide Change: SELinux policy store migration
Petr Lautrbach
plautrba at redhat.com
Mon Jun 15 09:15:18 UTC 2015
Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):
> On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl at redhat.com) wrote:
>
>> On 06/12/2015 12:17 PM, Lennart Poettering wrote:
>>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik at redhat.com) wrote:
>>>
>>>> = Proposed System Wide Change: SELinux policy store migration =
>>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>>>
>>> I cannot make sense of this with my limited selinux knowledge, could
>>> you please elaborate on this on the changes page for people like me
>>> who only have a superficial understanding of selinux?
>>
>> Yeap, we are working on it.
>>
>> Basically the binary policy file
>> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
>> SELinux policy modules. These modules are currently located in
>> /etc/selinux/targeted/modules and we call it as a "module store". This
>> store is now moved to /var/lib/selinux/targeted/modules. This only
>> affects tools like semanage, semodule which are used for a policy
>> manipulation. So we are able to boot without /var also from SELinux
>> point of view.
>
> Why /var and not /usr?
>
> If these module files are shipped with RPMs as vendor versions they
> belong in /usr, no?
>
> What makes this approproate for moving them to /var?
>
Albeit modules are shipped with RPM, SELinux tools (semanage, semodule)
work on this storage to make intended changes. When you enable or
disable modules, when you install modules, when you do changes in
SELinux users, logins and booleans, it's done in SELinux store.
Petr
--
Petr Lautrbach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150615/1ae49934/attachment.sig>
More information about the devel
mailing list