From Fedora Project Wiki
Line 1: Line 1:
 
<!-- Self Contained or System Wide Change Proposal?
 
<!-- Self Contained or System Wide Change Proposal?
Use this guide to determine to which category your proposed change belongs to.
 
  
Self Contained Changes are:
+
For System Wide Changes all fields on this form are required for FESCo acceptance (when applies).   
* changes to isolated/leaf package without the impact on other packages/rest of the distribution
 
* limited scope changes without the impact on other packages/rest of the distribution
 
* coordinated effort within SIG with limited impact outside SIG functional area, accepted by the SIG
 
 
 
System Wide Changes are:
 
* changes that does not fit Self Contained Changes category touching
 
* changes that require coordination within the distribution (for example mass rebuilds, release engineering or other teams effort etc.)
 
* changing system defaults
 
 
 
For Self Contained Changes, sections marked as "REQUIRED FOR SYSTEM WIDE CHANGES" are OPTIONAL but FESCo/Wrangler can request more details (especially in case the change proposal category is
 
improper or updated to System Wide category). For System Wide Changes all fields on this form are required for FESCo acceptance (when applies).   
 
  
 
We request that you maintain the same order of sections so that all of the change proposal pages are uniform.
 
We request that you maintain the same order of sections so that all of the change proposal pages are uniform.
 
-->
 
-->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
  
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
Line 26: Line 12:
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
  
SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux module store, which now defaults to /var/lib/selinux/.
+
SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux policy store, which now defaults to /var/lib/selinux/.
  
 
== Owner ==
 
== Owner ==
Line 63: Line 49:
 
== Detailed Description ==
 
== Detailed Description ==
  
The new store supports priority for modules and changes fromat from .pp to CIL language.
+
In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.
 +
 
 +
The new policy store supports priority for modules and changes fromat from .pp to CIL language.
  
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->

Revision as of 12:37, 9 June 2015


SELinux policy store migration

Summary

SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux policy store, which now defaults to /var/lib/selinux/.

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-09
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.

The new policy store supports priority for modules and changes fromat from .pp to CIL language.


Benefit to Fedora

The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):

  • moving the policy store out of /etc
    • user could easily get back Factory setup by removing a directory out of /etc
  • performance improvements
    • speed-up for SELinux tools like semanage, setsebool
    • reduces peak memory usage
  • prioritize of project's policy modules


Scope

  • Proposal owners:
    • prepare updated SELinux userspace packages
    • prepare updated SELinux policy packages with migrated store
    • prepare a migration script for users modifications and modules
  • Other developers: N/A (not a System Wide Change)
    • Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
    • Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


How To Test

  1. boot in enforcing mode without more AVCs than before update
  2. try semodule -l
  3. try create a module and install it, deinstall it, enable/disable it


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the current userspace
  • use the selinux-policy packages with the module store in /etc/selinux
  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes