On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote:
> Hi folks,
> currently yes. Users are not able to manage the SELinux policy on Atomic
> Hosts because of SELinux policy module store located in /var/lib/selinux
> and there are no files in this directory after factory reset.
>
> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.
>
> What is a core problem?
>
> Atomic uses RPM-OSTree with empty /var after factory reset. It means
You mean after running
ostree reset
? Does it purge /var but not /etc?
> that there are no policy modules stored in /var/lib/selinux.
>
> What does it mean?
>
> Failing SELinux tools like semanage/semodule if a user tries to
> manage/change the SELinux policy.
>
> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809
>
> How could we solve it?
>
> We introduced a new selinux-policy-atomic package with policy module
> store moved back to /etc. It needs to be installed together with two
> changes in configuration files - /etc/selinux/config and
> /etc/selinux/semanage.conf
>
> Our proposed solution is that Atomic would be composed with
> selinux-policy-atomic instead of selinux-policy-targeted and with
> changed configuration files.
Can't semanage/semodule work with a stock (read-only) version in /usr,
copying things to /var/lib when needed? Having binary content in /etc
does not sound too nice.
--
Jan Pazdziora | adelton at #ipa*, #brno
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
