Re: F23 System Wide Change: SELinux policy store migration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dne 11.6.2015 v 14:42 Colin Walters napsal(a):
> On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote:
>> = Proposed System Wide Change: SELinux policy store migration =
>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
>>
>> Change owner(s):
>> * Petr Lautrbach <plautrba at redhat dot com>
>> * Miroslav Grepl <mgrepl at redhat dot com>
>>
>> The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. 
> 
> This will need to support having an empty /var on boot in order to be compatible
> with both rpm-ostree and the systemd factory reset work.  For most of user space,
> the simplest implementation of this is to just have a systemd-tmpfiles unit that
> copies data on startup.  But policy is currently loaded very early after switch root.  This
> will require that /var be mounted too.

Actually, the policy will be still loaded from /etc/selinux/. The
migration will affect the policy store which is used for rebuilding
policy from modules and from other local changes. So a system could boot
with empty /var if it's needed.

However, we'll probably need to provide  systemd-tmpfiles units in each
selinux-policy-* subpackage to create necessary directory structure.


> It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is
> a major and unfortunate change.
> 
> The listed benefit is:
> 
>  -moving the policy store out of /etc
>     user could easily get back Factory setup by removing a directory out of /etc

The sub part is not listed anymore. And it's not even true.

> 
> Note that OSTree provides that today - all the /etc defaults are copied into
> /usr/etc, so at any point you can easily reset things.  (This is different from
> the systemd effort for an empty /etc).
> 
> It seems far simpler to just keep things in /etc, but teach the tools to read
> /usr.  Then *only if* I create a custom local policy, my changes are tracked
> in /etc, and the local compiled policy file lives there too.
> 

Thanks for your comments,

Petr
-- 
Petr Lautrbach

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux