Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?

[Jan Pazdziora <jpazdziora redhat com>]

On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote:
> Hi folks,
> currently yes. Users are not able to manage the SELinux policy on Atomic
> Hosts because of SELinux policy module store located in /var/lib/selinux
> and there are no files in this directory after factory reset.
> 
> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.
> 
> What is a core problem?
> 
> Atomic uses RPM-OSTree with empty /var after factory reset. It means

You mean after running

	ostree reset

? Does it purge /var but not /etc?

> that there are no policy modules stored in /var/lib/selinux.
> 
> What does it mean?
> 
> Failing SELinux tools like semanage/semodule if a user tries to
> manage/change the SELinux policy.
> 
> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809
> 
> How could we solve it?
> 
> We introduced a new selinux-policy-atomic package with policy module
> store moved back to /etc. It needs to be installed together with two
> changes in configuration files - /etc/selinux/config and
> /etc/selinux/semanage.conf
> 
> Our proposed solution is that Atomic would be composed with
> selinux-policy-atomic instead of selinux-policy-targeted and with
> changed configuration files.

Can't semanage/semodule work with a stock (read-only) version in /usr,
copying things to /var/lib when needed? Having binary content in /etc
does not sound too nice.

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Senior Principal Software Engineer, Identity Management Engineering, Red Hat