Re: F23 System Wide Change: SELinux policy store migration
On Mon, 15.06.15 11:15, Petr Lautrbach (plaut...@redhat.com) wrote: Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var? Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Hmm, I am really not a fan of packages that ship static vendor payload in /var. That sounds really wrong. Can't you make this work so that only the admin changes end up in /var, but the static data from the vendor stays unmodified in /usr? i.e. so that the selinux tools read from both directories, and data from /var when in doubt overrides the one from /usr? The reason I am asking for this: with the stateless system logic we in the systemd project and the Atomic folks work on we kinda want to ensure that /var only contains data that can be reconstructed at boot if necessary, and is hence unessential. This is useful to implement stateless systems and factory reset operations, where /var is empty on every boot or /var is simply flushed out at times. Hence: vendor data that stays static should stay in /usr please, and only local changes should end up in /var. (Note thought that we never asked Fedora formally to support a scheme like this, hence what Atomic and we have in mind there is in no way a Fedora goal so far, but it would be nice to support this anyway...) Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var? Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Petr -- Petr Lautrbach signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
Dne 15.6.2015 v 12:15 Lennart Poettering napsal(a): On Mon, 15.06.15 11:15, Petr Lautrbach (plaut...@redhat.com) wrote: Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var? Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Hmm, I am really not a fan of packages that ship static vendor payload in /var. That sounds really wrong. Can't you make this work so that only the admin changes end up in /var, but the static data from the vendor stays unmodified in /usr? i.e. so that the selinux tools read from both directories, and data from /var when in doubt overrides the one from /usr? Right now, we just adopt the new upstream release which doesn't support more locations for SELinux store. The reason I am asking for this: with the stateless system logic we in the systemd project and the Atomic folks work on we kinda want to ensure that /var only contains data that can be reconstructed at boot if necessary, and is hence unessential. This is useful to implement stateless systems and factory reset operations, where /var is empty on every boot or /var is simply flushed out at times. Hence: vendor data that stays static should stay in /usr please, and only local changes should end up in /var. This kind of system setup seems reasonable and we'll try to work on it for future upstream and Fedora releases. (Note thought that we never asked Fedora formally to support a scheme like this, hence what Atomic and we have in mind there is in no way a Fedora goal so far, but it would be nice to support this anyway...) Thanks for your comments, Petr -- Petr Lautrbach signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
Could all of this be done with links? IE Could you install selinux-policy into /usr/share/selinux/TARGETED/base/*.pp /usr/share/selinux/TARGETED/custom/*.pp Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators? On 06/15/2015 05:15 AM, Petr Lautrbach wrote: Dne 13.6.2015 v 19:07 Lennart Poettering napsal(a): On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var? Albeit modules are shipped with RPM, SELinux tools (semanage, semodule) work on this storage to make intended changes. When you enable or disable modules, when you install modules, when you do changes in SELinux users, logins and booleans, it's done in SELinux store. Petr -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On Fri, 12.06.15 19:00, Miroslav Grepl (mgr...@redhat.com) wrote: On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Why /var and not /usr? If these module files are shipped with RPMs as vendor versions they belong in /usr, no? What makes this approproate for moving them to /var? Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? For example: What is the policy store? Is that the compiled policy blob uploaded into the kernel? And if not, what is it? We support /var being split off and be mounted only very late at boot. Is that a problem for this proposal, and if not, why not? Does this require changes in systemd? Does this require changes anywhere in the core OS, outside of selinux' own userspace? And so on... Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On 06/12/2015 12:17 PM, Lennart Poettering wrote: On Thu, 11.06.15 06:51, Jan Kurik (jku...@redhat.com) wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration I cannot make sense of this with my limited selinux knowledge, could you please elaborate on this on the changes page for people like me who only have a superficial understanding of selinux? Yeap, we are working on it. Basically the binary policy file (/etc/selinux/targeted/policy/policy.29) loaded to kernel is built from SELinux policy modules. These modules are currently located in /etc/selinux/targeted/modules and we call it as a module store. This store is now moved to /var/lib/selinux/targeted/modules. This only affects tools like semanage, semodule which are used for a policy manipulation. So we are able to boot without /var also from SELinux point of view. Thanks, Mirek For example: What is the policy store? Is that the compiled policy blob uploaded into the kernel? And if not, what is it? We support /var being split off and be mounted only very late at boot. Is that a problem for this proposal, and if not, why not? Does this require changes in systemd? Does this require changes anywhere in the core OS, outside of selinux' own userspace? And so on... Lennart -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
Dne 11.6.2015 v 14:42 Colin Walters napsal(a): On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration Change owner(s): * Petr Lautrbach plautrba at redhat dot com * Miroslav Grepl mgrepl at redhat dot com The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. This will need to support having an empty /var on boot in order to be compatible with both rpm-ostree and the systemd factory reset work. For most of user space, the simplest implementation of this is to just have a systemd-tmpfiles unit that copies data on startup. But policy is currently loaded very early after switch root. This will require that /var be mounted too. Actually, the policy will be still loaded from /etc/selinux/. The migration will affect the policy store which is used for rebuilding policy from modules and from other local changes. So a system could boot with empty /var if it's needed. However, we'll probably need to provide systemd-tmpfiles units in each selinux-policy-* subpackage to create necessary directory structure. It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is a major and unfortunate change. The listed benefit is: -moving the policy store out of /etc user could easily get back Factory setup by removing a directory out of /etc The sub part is not listed anymore. And it's not even true. Note that OSTree provides that today - all the /etc defaults are copied into /usr/etc, so at any point you can easily reset things. (This is different from the systemd effort for an empty /etc). It seems far simpler to just keep things in /etc, but teach the tools to read /usr. Then *only if* I create a custom local policy, my changes are tracked in /etc, and the local compiled policy file lives there too. Thanks for your comments, Petr -- Petr Lautrbach signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On 06/11/2015 03:26 PM, Matthew Miller wrote: On Thu, Jun 11, 2015 at 06:51:52AM -0400, Jan Kurik wrote: In the SELinux userspace project release 2015-02-02, the SELinux policy store was moved from /etc/selinux/store/modules/ to /var/lib/selinux/store/. The change page notes performance improvements. Can these be quantified? At the very least, that kind of stuff is very useful for marketing. Yes, I agree it is very useful. It relates with CIL directly and it is a part of policy store migration change. There are data coming from SELinux Userspace upstream obtained on F20 and F21 policy. For example, we should do a better job for bugs like https://bugzilla.redhat.com/show_bug.cgi?id=1098446 I will attach an upstream discussion related to this topic. And of course we want to get real results/numbers once it is a part of rawhide by default. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On Thu, Jun 11, 2015 at 06:51:52AM -0400, Jan Kurik wrote: In the SELinux userspace project release 2015-02-02, the SELinux policy store was moved from /etc/selinux/store/modules/ to /var/lib/selinux/store/. The change page notes performance improvements. Can these be quantified? At the very least, that kind of stuff is very useful for marketing. -- Matthew Miller mat...@fedoraproject.org Fedora Project Leader -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F23 System Wide Change: SELinux policy store migration
On Thu, Jun 11, 2015, at 06:51 AM, Jan Kurik wrote: = Proposed System Wide Change: SELinux policy store migration = https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration Change owner(s): * Petr Lautrbach plautrba at redhat dot com * Miroslav Grepl mgrepl at redhat dot com The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/. This will need to support having an empty /var on boot in order to be compatible with both rpm-ostree and the systemd factory reset work. For most of user space, the simplest implementation of this is to just have a systemd-tmpfiles unit that copies data on startup. But policy is currently loaded very early after switch root. This will require that /var be mounted too. It will also mean rpm-ostree rollbacks by default won't affect the selinux policy, which is a major and unfortunate change. The listed benefit is: -moving the policy store out of /etc user could easily get back Factory setup by removing a directory out of /etc Note that OSTree provides that today - all the /etc defaults are copied into /usr/etc, so at any point you can easily reset things. (This is different from the systemd effort for an empty /etc). It seems far simpler to just keep things in /etc, but teach the tools to read /usr. Then *only if* I create a custom local policy, my changes are tracked in /etc, and the local compiled policy file lives there too. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct