From Fedora Project Wiki
No edit summary
No edit summary
Line 78: Line 78:
** prepare a migration script for users modifications and modules
** prepare a migration script for users modifications and modules


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
** Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
** Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
** Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering:  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->


* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines:there's no need to update policies. There might be guidelines which mention the old store location which should be updated<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->


Line 135: Line 135:


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism:  
** selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
** SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
<!--(What to do?  Who will do it?) N/A (not a System Wide Change)  REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: beta freeze <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? Yes <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
* Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==
Line 147: Line 150:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
* https://github.com/SELinuxProject/cil/wiki
* https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration


== Release Notes ==
== Release Notes ==

Revision as of 13:06, 9 June 2015


SELinux policy store migration

Summary

SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux policy store, which now defaults to /var/lib/selinux/.

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-09
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.

The new policy store supports priority for modules and changes fromat from .pp to CIL language.


Benefit to Fedora

The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):

  • moving the policy store out of /etc
    • user could easily get back Factory setup by removing a directory out of /etc
  • performance improvements
    • speed-up for SELinux tools like semanage, setsebool
    • reduces peak memory usage
  • prioritize of project's policy modules


Scope

  • Proposal owners:
    • prepare updated SELinux userspace packages
    • prepare updated SELinux policy packages with migrated store
    • prepare a migration script for users modifications and modules
  • Other developers:
    • Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
    • Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering:
  • Policies and guidelines:there's no need to update policies. There might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


How To Test

  1. boot in enforcing mode without more AVCs than before update
  2. try semodule -l
  3. try create a module and install it, deinstall it, enable/disable it


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the current userspace
  • use the selinux-policy packages with the module store in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A

Documentation

Release Notes