[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Not manageable SELinux policy on Atomic Hosts?



Hi folks,
currently yes. Users are not able to manage the SELinux policy on Atomic
Hosts because of SELinux policy module store located in /var/lib/selinux
and there are no files in this directory after factory reset.

See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.

What is a core problem?

Atomic uses RPM-OSTree with empty /var after factory reset. It means
that there are no policy modules stored in /var/lib/selinux.

What does it mean?

Failing SELinux tools like semanage/semodule if a user tries to
manage/change the SELinux policy.

https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809

How could we solve it?

We introduced a new selinux-policy-atomic package with policy module
store moved back to /etc. It needs to be installed together with two
changes in configuration files - /etc/selinux/config and
/etc/selinux/semanage.conf

Our proposed solution is that Atomic would be composed with
selinux-policy-atomic instead of selinux-policy-targeted and with
changed configuration files.

Does it make sense for you?

Thank you.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]