On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote: > = Proposed System Wide Change: SELinux policy store migration = > https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration > > Change owner(s): > * Petr Lautrbach <plautrba at redhat dot com> > * Miroslav Grepl <mgrepl at redhat dot com> > > The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. This will need to support having an empty /var on boot in order to be compatible with both rpm-ostree and the systemd factory reset work. For most of user space, the simplest implementation of this is to just have a systemd-tmpfiles unit that copies data on startup. But policy is currently loaded very early after switch root. This will require that /var be mounted too. It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is a major and unfortunate change. The listed benefit is: -moving the policy store out of /etc user could easily get back Factory setup by removing a directory out of /etc Note that OSTree provides that today - all the /etc defaults are copied into /usr/etc, so at any point you can easily reset things. (This is different from the systemd effort for an empty /etc). It seems far simpler to just keep things in /etc, but teach the tools to read /usr. Then *only if* I create a custom local policy, my changes are tracked in /etc, and the local compiled policy file lives there too. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
