On Fri, 2010-01-08 at 15:59 -0500, James Carter wrote: > On Fri, 2010-01-08 at 10:34 -0500, Stephen Smalley wrote: > > On Wed, 2009-12-23 at 18:26 -0500, Caleb Case wrote: > > > We created a migration script to ease the burden of transition from the > > > old libsemanage store layout to the new. The script will detect all the > > > stores in /etc/selinux using the old layout and convert them to the new > > > layout in /var/lib/selinux. It also allows you to specify the default > > > priority to use with -p and store to operate on with -s. After migration > > > the script by default will leave the old store unchanged, but can be > > > told to remove the old modules directory with -c. > > > > > > Examples: > > > > > > # Migrate all stores to the new layout. > > > migrate.py > > > > > > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active > > > Attempting to rebuild policy from /var/lib/selinux > > > > > > # Migrate only the targeted store. > > > migrate.py -s targeted > > > > > > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active > > > Attempting to rebuild policy from /var/lib/selinux > > > > > > # Migrate all, but install to priority 150. > > > migrate.py -p 150 > > > > > > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active > > > Attempting to rebuild policy from /var/lib/selinux > > > > I tried the following: > > semanage login -a -s user_u pi > > cp -a /etc/selinux /etc/selinux.orig > > install new userland > > migrate.py > > diff -ru /etc/selinux.orig /etc/selinux > > > > The seusers entry for "pi" was dropped from the final seusers file in > > the rebuilt policy. > > > > I saw the same thing. I added a new login, but it does not show up > after the migration with "semanage login -l" even though it is > in /var/lib/selinux/targeted/active/seusers and seusers.final. I also noticed that /etc/selinux/targeted/seusers lacks the header comments (This file is auto-generated...). Searching /var/lib/selinux for a matching file, I find only one file - the seusers file in the minimum policy tree. How that ends up getting installed as the seusers file for targeted is a mystery to me... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
