[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?

From: Daniel J Walsh <dwalsh redhat com>
To: Petr Lautrbach <plautrba redhat com>, Jan Pazdziora <jpazdziora redhat com>, Miroslav Grepl <mgrepl redhat com>
Cc: atomic-devel projectatomic io
Subject: Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?
Date: Fri, 15 Jan 2016 13:20:30 -0500


On 01/14/2016 10:58 AM, Petr Lautrbach wrote:
> On 01/14/2016 04:37 PM, Jan Pazdziora wrote:
>> On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote:
>>> Hi folks,
>>> currently yes. Users are not able to manage the SELinux policy on Atomic
>>> Hosts because of SELinux policy module store located in /var/lib/selinux
>>> and there are no files in this directory after factory reset.
>>>
>>> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.
>>>
>>> What is a core problem?
>>>
>>> Atomic uses RPM-OSTree with empty /var after factory reset. It means
>> You mean after running
>>
>> 	ostree reset
>>
>> ? Does it purge /var but not /etc?
>>
>>> that there are no policy modules stored in /var/lib/selinux.
>>>
>>> What does it mean?
>>>
>>> Failing SELinux tools like semanage/semodule if a user tries to
>>> manage/change the SELinux policy.
>>>
>>> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809
>>>
>>> How could we solve it?
>>>
>>> We introduced a new selinux-policy-atomic package with policy module
>>> store moved back to /etc. It needs to be installed together with two
>>> changes in configuration files - /etc/selinux/config and
>>> /etc/selinux/semanage.conf
>>>
>>> Our proposed solution is that Atomic would be composed with
>>> selinux-policy-atomic instead of selinux-policy-targeted and with
>>> changed configuration files.
>> Can't semanage/semodule work with a stock (read-only) version in /usr,
>> copying things to /var/lib when needed? Having binary content in /etc
>> does not sound too nice.
>>
> SELinux modules store had been in /etc/selinux since it's beginning. The
> stored was moved to /var/lib/selinux in Fedora 23 resp in SELinux
> Project release release 2015-02-02. selinux-policy-atomic moves it back
> as a workaround of the problem with empty /var when RPM-OStree is used.
> As it's simple to implement and we already have builds, it's a way to
> solve this problem in near future.
>
> The read-only store in /usr would mean either to duplicate files from
> /usr/ to /var on boot; or a non-trivial change in SELinux user space
> tools which is probably doable but we don't have any implementation or
> proposal of it yet and we need it to be accepted and reviewed by SELinux
> project upstream first.
>
> Petr
I think doing a design where content would be searched first in
/var/lib/selinux and then
fall back to /usr/lib/selinux would be a good compromize solution.  This
would make it easy
for users to be able to get back to the default policy.

rm -rf /var/lib/selinux; load_policy

References:
- [atomic-devel] Not manageable SELinux policy on Atomic Hosts?
  - From: Miroslav Grepl
- Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?
  - From: Jan Pazdziora
- Re: [atomic-devel] Not manageable SELinux policy on Atomic Hosts?
  - From: Petr Lautrbach

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]