Dne 15.6.2015 v 12:15 Lennart Poettering napsal(a): > On Mon, 15.06.15 11:15, Petr Lautrbach (plautrba@xxxxxxxxxx) wrote: > >> Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): >>> On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl@xxxxxxxxxx) wrote: >>> >>>> On 06/12/2015 12:17 PM, Lennart Poettering wrote: >>>>> On Thu, 11.06.15 06:51, Jan Kurik (jkurik@xxxxxxxxxx) wrote: >>>>> >>>>>> = Proposed System Wide Change: SELinux policy store migration = >>>>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration >>>>> >>>>> I cannot make sense of this with my limited selinux knowledge, could >>>>> you please elaborate on this on the changes page for people like me >>>>> who only have a superficial understanding of selinux? >>>> >>>> Yeap, we are working on it. >>>> >>>> Basically the binary policy file >>>> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from >>>> SELinux policy modules. These modules are currently located in >>>> /etc/selinux/targeted/modules and we call it as a "module store". This >>>> store is now moved to /var/lib/selinux/targeted/modules. This only >>>> affects tools like semanage, semodule which are used for a policy >>>> manipulation. So we are able to boot without /var also from SELinux >>>> point of view. >>> >>> Why /var and not /usr? >>> >>> If these module files are shipped with RPMs as vendor versions they >>> belong in /usr, no? >>> >>> What makes this approproate for moving them to /var? >>> >> >> Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) >> work on this storage to make intended changes. When you enable or >> disable modules, when you install modules, when you do changes in >> SELinux users, logins and booleans, it's done in SELinux store. > > Hmm, I am really not a fan of packages that ship static vendor payload > in /var. That sounds really wrong. Can't you make this work so that > only the admin changes end up in /var, but the static data from the > vendor stays unmodified in /usr? i.e. so that the selinux tools read > from both directories, and data from /var when in doubt overrides the > one from /usr? Right now, we just adopt the new upstream release which doesn't support more locations for SELinux store. > The reason I am asking for this: with the stateless system logic we in > the systemd project and the Atomic folks work on we kinda want to > ensure that /var only contains data that can be reconstructed at boot > if necessary, and is hence "unessential". This is useful to implement > stateless systems and "factory reset" operations, where /var is empty > on every boot or /var is simply flushed out at times. > > Hence: vendor data that stays static should stay in /usr please, and > only local changes should end up in /var. This kind of system setup seems reasonable and we'll try to work on it for future upstream and Fedora releases. > > (Note thought that we never asked Fedora formally to support a scheme > like this, hence what Atomic and we have in mind there is in no way a > Fedora goal so far, but it would be nice to support this anyway...) > Thanks for your comments, Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
