[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[atomic-devel] Not manageable SELinux policy on Atomic Hosts?
- From: Miroslav Grepl <mgrepl redhat com>
- To: atomic-devel projectatomic io
- Cc: Petr Lautrbach <plautrba redhat com>
- Subject: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?
- Date: Thu, 14 Jan 2016 16:05:23 +0100
Hi folks,
currently yes. Users are not able to manage the SELinux policy on Atomic
Hosts because of SELinux policy module store located in /var/lib/selinux
and there are no files in this directory after factory reset.
See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.
What is a core problem?
Atomic uses RPM-OSTree with empty /var after factory reset. It means
that there are no policy modules stored in /var/lib/selinux.
What does it mean?
Failing SELinux tools like semanage/semodule if a user tries to
manage/change the SELinux policy.
https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809
How could we solve it?
We introduced a new selinux-policy-atomic package with policy module
store moved back to /etc. It needs to be installed together with two
changes in configuration files - /etc/selinux/config and
/etc/selinux/semanage.conf
Our proposed solution is that Atomic would be composed with
selinux-policy-atomic instead of selinux-policy-targeted and with
changed configuration files.
Does it make sense for you?
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]