Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): > On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl@xxxxxxxxxx) wrote: > >> On 06/12/2015 12:17 PM, Lennart Poettering wrote: >>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik@xxxxxxxxxx) wrote: >>> >>>> = Proposed System Wide Change: SELinux policy store migration = >>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration >>> >>> I cannot make sense of this with my limited selinux knowledge, could >>> you please elaborate on this on the changes page for people like me >>> who only have a superficial understanding of selinux? >> >> Yeap, we are working on it. >> >> Basically the binary policy file >> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from >> SELinux policy modules. These modules are currently located in >> /etc/selinux/targeted/modules and we call it as a "module store". This >> store is now moved to /var/lib/selinux/targeted/modules. This only >> affects tools like semanage, semodule which are used for a policy >> manipulation. So we are able to boot without /var also from SELinux >> point of view. > > Why /var and not /usr? > > If these module files are shipped with RPMs as vendor versions they > belong in /usr, no? > > What makes this approproate for moving them to /var? > Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct