On 01/14/2016 04:37 PM, Jan Pazdziora wrote: > On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote: >> Hi folks, >> currently yes. Users are not able to manage the SELinux policy on Atomic >> Hosts because of SELinux policy module store located in /var/lib/selinux >> and there are no files in this directory after factory reset. >> >> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details. >> >> What is a core problem? >> >> Atomic uses RPM-OSTree with empty /var after factory reset. It means > > You mean after running > > ostree reset > > ? Does it purge /var but not /etc? > >> that there are no policy modules stored in /var/lib/selinux. >> >> What does it mean? >> >> Failing SELinux tools like semanage/semodule if a user tries to >> manage/change the SELinux policy. >> >> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809 >> >> How could we solve it? >> >> We introduced a new selinux-policy-atomic package with policy module >> store moved back to /etc. It needs to be installed together with two >> changes in configuration files - /etc/selinux/config and >> /etc/selinux/semanage.conf >> >> Our proposed solution is that Atomic would be composed with >> selinux-policy-atomic instead of selinux-policy-targeted and with >> changed configuration files. > > Can't semanage/semodule work with a stock (read-only) version in /usr, > copying things to /var/lib when needed? Having binary content in /etc > does not sound too nice. > SELinux modules store had been in /etc/selinux since it's beginning. The stored was moved to /var/lib/selinux in Fedora 23 resp in SELinux Project release release 2015-02-02. selinux-policy-atomic moves it back as a workaround of the problem with empty /var when RPM-OStree is used. As it's simple to implement and we already have builds, it's a way to solve this problem in near future. The read-only store in /usr would mean either to duplicate files from /usr/ to /var on boot; or a non-trivial change in SELinux user space tools which is probably doable but we don't have any implementation or proposal of it yet and we need it to be accepted and reviewed by SELinux project upstream first. Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature