Dne 11.6.2015 v 14:42 Colin Walters napsal(a): > On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote: >> = Proposed System Wide Change: SELinux policy store migration = >> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration >> >> Change owner(s): >> * Petr Lautrbach <plautrba at redhat dot com> >> * Miroslav Grepl <mgrepl at redhat dot com> >> >> The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. > > This will need to support having an empty /var on boot in order to be compatible > with both rpm-ostree and the systemd factory reset work. For most of user space, > the simplest implementation of this is to just have a systemd-tmpfiles unit that > copies data on startup. But policy is currently loaded very early after switch root. This > will require that /var be mounted too. Actually, the policy will be still loaded from /etc/selinux/. The migration will affect the policy store which is used for rebuilding policy from modules and from other local changes. So a system could boot with empty /var if it's needed. However, we'll probably need to provide systemd-tmpfiles units in each selinux-policy-* subpackage to create necessary directory structure. > It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is > a major and unfortunate change. > > The listed benefit is: > > -moving the policy store out of /etc > user could easily get back Factory setup by removing a directory out of /etc The sub part is not listed anymore. And it's not even true. > > Note that OSTree provides that today - all the /etc defaults are copied into > /usr/etc, so at any point you can easily reset things. (This is different from > the systemd effort for an empty /etc). > > It seems far simpler to just keep things in /etc, but teach the tools to read > /usr. Then *only if* I create a custom local policy, my changes are tracked > in /etc, and the local compiled policy file lives there too. > Thanks for your comments, Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
