On 07/10/2014 02:51 AM, Dominick Grift wrote: > On Wed, 2014-07-09 at 15:21 -0400, Steve Lawrence wrote: >> In January, we sent an RFC [1] to update userspace to integrate CIL >> [2] and source policy. And in April, we sent an updated RFC [3] which >> added support for high level languages and a tool to convert policy >> package (pp) files to CIL. After getting some good feedback, we have >> made some more changes, mostly to maintain ABI compatibility. The >> major changes made since the last patchset are: > > <snip> > > > After associating user john with staff_u, johns home directory is > properly labeled (staff_u associated with /home/john). However, what is > strange here is that i cannot see staff_u home dir context specs > in /var/lib/selinux/targeted/active/modules/file_contexts.homedirs > > Am i looking in the wrong place? How does SELinux know that staff_u > needs to be associated with /home/john > In the current upatream, file_contexts.homedirs is autogenerated and created in /etc/selinux/targeted/modules/active/ before it is copied to /etc/selinux/targeted/contexts/files. This file is not removed from the store, so it actually exists in two places. However, with the new source policy work, file_contexts.homedirs is generated in a temporary sandbox (not the policy store). The contents of the sandbox are copied to /etc/selinux, and then deleted at the end of the transaction. So the new source policy infrastructure no longer stores intermediate/final build files in the policy store. However, the migration script copies all the files from the old store to the new store, even including autogenerated files that the new source policy infrastructure will never look at or touch. This is just a bug in the migration script. We've updated the migration script to only migrate the files that actually need to be migrated (mostly *.local files). This has been rebased/pushed to github #integration branch. Aside from the discussions regarding disk requirements, I think this is the last known issue. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
