F23 System Wide Change: SELinux policy store migration
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 15 20:45:01 UTC 2015
Could all of this be done with links? IE Could you install
selinux-policy into
/usr/share/selinux/TARGETED/base/*.pp
/usr/share/selinux/TARGETED/custom/*.pp
Then we reassemble these modules with custom modules in
/var/lib/selinux/TARGETED/ supplied by administrators?
On 06/15/2015 05:15 AM, Petr Lautrbach wrote:
> Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):
>> On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl at redhat.com) wrote:
>>
>>> On 06/12/2015 12:17 PM, Lennart Poettering wrote:
>>>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik at redhat.com) wrote:
>>>>
>>>>> = Proposed System Wide Change: SELinux policy store migration =
>>>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>>>> I cannot make sense of this with my limited selinux knowledge, could
>>>> you please elaborate on this on the changes page for people like me
>>>> who only have a superficial understanding of selinux?
>>> Yeap, we are working on it.
>>>
>>> Basically the binary policy file
>>> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from
>>> SELinux policy modules. These modules are currently located in
>>> /etc/selinux/targeted/modules and we call it as a "module store". This
>>> store is now moved to /var/lib/selinux/targeted/modules. This only
>>> affects tools like semanage, semodule which are used for a policy
>>> manipulation. So we are able to boot without /var also from SELinux
>>> point of view.
>> Why /var and not /usr?
>>
>> If these module files are shipped with RPMs as vendor versions they
>> belong in /usr, no?
>>
>> What makes this approproate for moving them to /var?
>>
> Albeit modules are shipped with RPM, SELinux tools (semanage, semodule)
> work on this storage to make intended changes. When you enable or
> disable modules, when you install modules, when you do changes in
> SELinux users, logins and booleans, it's done in SELinux store.
>
>
>
> Petr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150615/3d991220/attachment.html>
More information about the devel
mailing list