On 07/18/2014 12:00 PM, Steve Lawrence wrote: > On 07/10/2014 02:51 AM, Dominick Grift wrote: >> On Wed, 2014-07-09 at 15:21 -0400, Steve Lawrence wrote: >>> In January, we sent an RFC [1] to update userspace to integrate CIL >>> [2] and source policy. And in April, we sent an updated RFC [3] which >>> added support for high level languages and a tool to convert policy >>> package (pp) files to CIL. After getting some good feedback, we have >>> made some more changes, mostly to maintain ABI compatibility. The >>> major changes made since the last patchset are: >> >> <snip> >> >> >> After associating user john with staff_u, johns home directory is >> properly labeled (staff_u associated with /home/john). However, what is >> strange here is that i cannot see staff_u home dir context specs >> in /var/lib/selinux/targeted/active/modules/file_contexts.homedirs >> >> Am i looking in the wrong place? How does SELinux know that staff_u >> needs to be associated with /home/john >> > > In the current upatream, file_contexts.homedirs is autogenerated and > created in /etc/selinux/targeted/modules/active/ before it is copied to > /etc/selinux/targeted/contexts/files. This file is not removed from the > store, so it actually exists in two places. > > However, with the new source policy work, file_contexts.homedirs is > generated in a temporary sandbox (not the policy store). The contents of > the sandbox are copied to /etc/selinux, and then deleted at the end of > the transaction. So the new source policy infrastructure no longer > stores intermediate/final build files in the policy store. > > However, the migration script copies all the files from the old store to > the new store, even including autogenerated files that the new source > policy infrastructure will never look at or touch. This is just a bug in > the migration script. We've updated the migration script to only migrate > the files that actually need to be migrated (mostly *.local files). This > has been rebased/pushed to github #integration branch. If I run semanage_migrate_etc_to_var.py -n on a clean (no /var/lib/selinux at all) system, the /var/lib/selinux/targeted/active directory contains a homedir_template and a netfilter_contexts file in addition to the modules (and commit_num). The first file is automatically extracted from all of the file contexts during build and the second is unused these days. If I then run semodule -B (or omit the -n option on migration), I further have file_contexts.template and users_extra files under active, both of which are also generated. I can delete all four files and regenerate all but netfilter_contexts via semodule -B. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
