Could all of this be done with links? IE Could you install selinux-policy into /usr/share/selinux/TARGETED/base/*.pp /usr/share/selinux/TARGETED/custom/*.pp
Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators? On 06/15/2015 05:15 AM, Petr Lautrbach wrote: > Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): >> On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: >> >>> On 06/12/2015 12:17 PM, Lennart Poettering wrote: >>>> On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: >>>> >>>>> = Proposed System Wide Change: SELinux policy store migration = >>>>> https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration >>>> I cannot make sense of this with my limited selinux knowledge, could >>>> you please elaborate on this on the changes page for people like me >>>> who only have a superficial understanding of selinux? >>> Yeap, we are working on it. >>> >>> Basically the binary policy file >>> (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from >>> SELinux policy modules. These modules are currently located in >>> /etc/selinux/targeted/modules and we call it as a "module store". This >>> store is now moved to /var/lib/selinux/targeted/modules. This only >>> affects tools like semanage, semodule which are used for a policy >>> manipulation. So we are able to boot without /var also from SELinux >>> point of view. >> Why /var and not /usr? >> >> If these module files are shipped with RPMs as vendor versions they >> belong in /usr, no? >> >> What makes this approproate for moving them to /var? >> > Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) > work on this storage to make intended changes. When you enable or > disable modules, when you install modules, when you do changes in > SELinux users, logins and booleans, it's done in SELinux store. > > > > Petr > >
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct