Hi, Currently there's a conflict between the way OSTree handles config files (modified version in /etc wins, see https://ostree.readthedocs.org/en/latest/manual/deployment/ ) and SELinux, because the policy lives in /etc. The core problem is that right now, as soon as one modifies the policy, that binary version is propagated forwards until the admin reruns `semodule -B` (and really you want to run it for the *new* chroot) A few of us from Red Hat talked about this at Devconf.cz, and I filed: https://bugzilla.gnome.org/show_bug.cgi?id=761620 The first question from the bug is: - Can we detect "is the policy changed"? Probably cmp /{usr/,}etc/selinux/targeted/policy/policy.29 - but is there an API for that? I was briefly looking at this again today, started by reading the semodule code. The first question is most important to me - right now by nature of having the immutable copy in /etc, OSTree itself can help me know whether policy is modified. But, I have to know the policy path and version. I started reading the code in selinux/libselinux/src/load_policy.c around finding out "what is the current policy version", and while selinux_binary_policy_path() will tell me the prefix, the code around detecting the version number is rather nontrivial[1]. The libsemanage code has some layers here that seem to ultimately boil down to picking the largest version known to libsemanage, but here I need logic more like what load_policy is doing (I want to know the current binary version, not generate a new one). Maybe we could add a public API for this? Alternatively, have `semodule -B --only-if-modified` or something that would immediately exit if there's nothing to do? The above text covers the first question, the second one from the bug is: - Can we efficiently detect the case where on upgrade, the base policy version didn't change, so we don't need to recompile, and just propagate forward our modified policy from /etc? This one is actually a different "policy version", I should have written "policy RPM package version" or so. This one is probably relatively simple to do in rpm-ostree, just compare the EVRs of the policy package, but is there some sort of package-system independent version (like a checksum of the .pp files) that I could use? [1] What is up with the dlopen? It'd be nice to have a comment in this code; the git commit message just says "initial import from svn trunk revision 2950" and I'm too lazy right now to install Subversion in the hopes that contains a useful log message. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
