On 06/12/2015 12:17 PM, Lennart Poettering wrote: > On Thu, 11.06.15 06:51, Jan Kurik (jkurik@xxxxxxxxxx) wrote: > >> = Proposed System Wide Change: SELinux policy store migration = >> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration > > I cannot make sense of this with my limited selinux knowledge, could > you please elaborate on this on the changes page for people like me > who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a "module store". This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Thanks, Mirek > > For example: > > What is the "policy store"? Is that the compiled policy blob uploaded > into the kernel? And if not, what is it? > > We support /var being split off and be mounted only very late at > boot. Is that a problem for this proposal, and if not, why not? > > Does this require changes in systemd? Does this require changes > anywhere in the core OS, outside of selinux' own userspace? > > And so on... > > Lennart > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
