F23 System Wide Change: SELinux policy store migration
Lennart Poettering
mzerqung at 0pointer.de
Mon Jun 15 10:15:57 UTC 2015
On Mon, 15.06.15 11:15, Petr Lautrbach (plautrba at redhat.com) wrote:
> Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):
> > On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl at redhat.com) wrote:
> >
> >> On 06/12/2015 12:17 PM, Lennart Poettering wrote:
> >>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik at redhat.com) wrote:
> >>>
> >>>> = Proposed System Wide Change: SELinux policy store migration =
> >>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
> >>>
> >>> I cannot make sense of this with my limited selinux knowledge, could
> >>> you please elaborate on this on the changes page for people like me
> >>> who only have a superficial understanding of selinux?
> >>
> >> Yeap, we are working on it.
> >>
> >> Basically the binary policy file
> >> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
> >> SELinux policy modules. These modules are currently located in
> >> /etc/selinux/targeted/modules and we call it as a "module store". This
> >> store is now moved to /var/lib/selinux/targeted/modules. This only
> >> affects tools like semanage, semodule which are used for a policy
> >> manipulation. So we are able to boot without /var also from SELinux
> >> point of view.
> >
> > Why /var and not /usr?
> >
> > If these module files are shipped with RPMs as vendor versions they
> > belong in /usr, no?
> >
> > What makes this approproate for moving them to /var?
> >
>
> Albeit modules are shipped with RPM, SELinux tools (semanage, semodule)
> work on this storage to make intended changes. When you enable or
> disable modules, when you install modules, when you do changes in
> SELinux users, logins and booleans, it's done in SELinux store.
Hmm, I am really not a fan of packages that ship static vendor payload
in /var. That sounds really wrong. Can't you make this work so that
only the admin changes end up in /var, but the static data from the
vendor stays unmodified in /usr? i.e. so that the selinux tools read
from both directories, and data from /var when in doubt overrides the
one from /usr?
The reason I am asking for this: with the stateless system logic we in
the systemd project and the Atomic folks work on we kinda want to
ensure that /var only contains data that can be reconstructed at boot
if necessary, and is hence "unessential". This is useful to implement
stateless systems and "factory reset" operations, where /var is empty
on every boot or /var is simply flushed out at times.
Hence: vendor data that stays static should stay in /usr please, and
only local changes should end up in /var.
(Note thought that we never asked Fedora formally to support a scheme
like this, hence what Atomic and we have in mind there is in no way a
Fedora goal so far, but it would be nice to support this anyway...)
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list