|
Could all of this be done with links? IE Could you install
selinux-policy into /usr/share/selinux/TARGETED/base/*.pp /usr/share/selinux/TARGETED/custom/*.pp Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators? On 06/15/2015 05:15 AM, Petr Lautrbach
wrote:
Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a):On Fri, 12.06.15 19:00, Miroslav Grepl (mgrepl@xxxxxxxxxx) wrote:On 06/12/2015 12:17 PM, Lennart Poettering wrote:On Thu, 11.06.15 06:51, Jan Kurik (jkurik@xxxxxxxxxx) wrote:= Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigrationI cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux?Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a "module store". This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view.Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var?Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Petr |
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
