[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?



On 01/14/2016 04:37 PM, Jan Pazdziora wrote:
> On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote:
>> Hi folks,
>> currently yes. Users are not able to manage the SELinux policy on Atomic
>> Hosts because of SELinux policy module store located in /var/lib/selinux
>> and there are no files in this directory after factory reset.
>>
>> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.
>>
>> What is a core problem?
>>
>> Atomic uses RPM-OSTree with empty /var after factory reset. It means
> 
> You mean after running
> 
> 	ostree reset
> 
> ? Does it purge /var but not /etc?
> 
>> that there are no policy modules stored in /var/lib/selinux.
>>
>> What does it mean?
>>
>> Failing SELinux tools like semanage/semodule if a user tries to
>> manage/change the SELinux policy.
>>
>> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809
>>
>> How could we solve it?
>>
>> We introduced a new selinux-policy-atomic package with policy module
>> store moved back to /etc. It needs to be installed together with two
>> changes in configuration files - /etc/selinux/config and
>> /etc/selinux/semanage.conf
>>
>> Our proposed solution is that Atomic would be composed with
>> selinux-policy-atomic instead of selinux-policy-targeted and with
>> changed configuration files.
> 
> Can't semanage/semodule work with a stock (read-only) version in /usr,
> copying things to /var/lib when needed? Having binary content in /etc
> does not sound too nice.
> 

SELinux modules store had been in /etc/selinux since it's beginning. The
stored was moved to /var/lib/selinux in Fedora 23 resp in SELinux
Project release release 2015-02-02. selinux-policy-atomic moves it back
as a workaround of the problem with empty /var when RPM-OStree is used.
As it's simple to implement and we already have builds, it's a way to
solve this problem in near future.

The read-only store in /usr would mean either to duplicate files from
/usr/ to /var on boot; or a non-trivial change in SELinux user space
tools which is probably doable but we don't have any implementation or
proposal of it yet and we need it to be accepted and reviewed by SELinux
project upstream first.

Petr
-- 
Petr Lautrbach


Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]