Hi folks, currently yes. Users are not able to manage the SELinux policy on Atomic Hosts because of SELinux policy module store located in /var/lib/selinux and there are no files in this directory after factory reset.
See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details. What is a core problem? Atomic uses RPM-OSTree with empty /var after factory reset. It means that there are no policy modules stored in /var/lib/selinux. What does it mean? Failing SELinux tools like semanage/semodule if a user tries to manage/change the SELinux policy. https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809 How could we solve it? We introduced a new selinux-policy-atomic package with policy module store moved back to /etc. It needs to be installed together with two changes in configuration files - /etc/selinux/config and /etc/selinux/semanage.conf Our proposed solution is that Atomic would be composed with selinux-policy-atomic instead of selinux-policy-targeted and with changed configuration files. Does it make sense for you? Thank you. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
