From Fedora Project Wiki
m (First letter capitalisation vandalism)
Line 12: Line 12:
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
  
SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux policy store, which defaults to /var/lib/selinux/.
+
The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.
  
 
== Owner ==
 
== Owner ==
Line 36: Line 36:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/23 | Fedora 23 ]]  
 
* Targeted release: [[Releases/23 | Fedora 23 ]]  
* Last updated: 2015-06-09
+
* Last updated: 2015-06-10
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
Bugzilla states meaning as usual:
 
Bugzilla states meaning as usual:
Line 49: Line 49:
 
== Detailed Description ==
 
== Detailed Description ==
  
In version 2.4 of libsemanage, libsepol, and policycoreutils, the SELinux policy store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.
+
In the SELinux userspace project release 2015-02-02, the SELinux policy store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.
  
 
The new policy store
 
The new policy store
  
* has a new structure
+
* has a new complex structure
* supports priority for modules
+
* supports priority of modules
 
* the CIL language is used for cached modules
 
* the CIL language is used for cached modules
* original modules in pp format are converted using HLL compiler in /usr/libexec/selinux/hll/ to CIL language
+
* original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.
  
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Line 62: Line 62:
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
  
The implementation brings some big system/distribution improvements against the current state (policy.29 + Fedora22):
+
The new store implementation and the CIL language bring improvements to system:
  
*moving the policy store out of /etc
+
* the policy store is moved out of /etc
**user could easily get back Factory setup by removing a directory out of /etc
+
* there's performance improvements
*performance improvements
+
** speed-up of SELinux tools like semanage, setsebool
**speed-up for SELinux tools like semanage, setsebool
+
** reduce of memory peak usage  
**reduces peak memory usage  
 
 
<!-- *shrinking SELinux policy
 
<!-- *shrinking SELinux policy
**CIL grammer should allow us to write more effective policy
+
** the CIL language allows to write more effective policy
 
-->
 
-->
*prioritize of project's policy modules
+
* cached SELinux policy module can be overwritten by a module with same name and with higher priority
 
    
 
    
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
Line 79: Line 78:
 
* Proposal owners:
 
* Proposal owners:
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** prepare updated SELinux userspace packages
+
** prepare SELinux userspace packages with the release 2015-02-02
** prepare updated SELinux policy packages with migrated store
+
** prepare SELinux policy packages with the new store location
 
** prepare a migration script for users modifications and modules
 
** prepare a migration script for users modifications and modules
  
 
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
+
** check if their packages contain SELinux modules and put them in the correct place /usr/share/selinux/packages
** Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
+
** check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
* Release engineering: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Release engineering: N/A <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
 
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->
 
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->
  
* Policies and guidelines:there's no need to update policies. There might be guidelines which mention the old store location which should be updated<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Policies and guidelines:
 +
** there's no need to update policies
 +
** there might be guidelines which mention the old store location which should be updated <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
  
Line 100: Line 101:
 
== Upgrade/compatibility impact ==
 
== Upgrade/compatibility impact ==
 
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
 
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default
+
There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 118: Line 119:
 
3. What are the expected results of those actions?
 
3. What are the expected results of those actions?
 
-->
 
-->
 +
 +
TBD
 +
 
# update system with libselinux-2.4 release
 
# update system with libselinux-2.4 release
 
# boot in enforcing mode without more AVCs than before update
 
# boot in enforcing mode without more AVCs than before update
Line 140: Line 144:
  
 
== Contingency Plan ==
 
== Contingency Plan ==
* Use the current userspace
+
* use the previous SELinux userspace project release
* Use the selinux-policy packages with the module store in /etc/selinux
+
* use the selinux-policy packages with the policy store located in /etc/selinux
  
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
Line 159: Line 163:
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 +
* https://github.com/SELinuxProject/selinux/wiki/Releases
 
* https://github.com/SELinuxProject/cil/wiki
 
* https://github.com/SELinuxProject/cil/wiki
 
* https://github.com/SELinuxProject/selinux/wiki/High-Level-Language-Infrastructure
 
* https://github.com/SELinuxProject/selinux/wiki/High-Level-Language-Infrastructure
Line 177: Line 182:
  
 
<!-- Select proper category, default is Self Contained Change -->
 
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
+
[[Category:SystemWideChange]]
<!-- [[Category:SystemWideChange]] -->
 

Revision as of 15:41, 10 June 2015


SELinux policy store migration

Summary

The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-10
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In the SELinux userspace project release 2015-02-02, the SELinux policy store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.

The new policy store

  • has a new complex structure
  • supports priority of modules
  • the CIL language is used for cached modules
  • original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.


Benefit to Fedora

The new store implementation and the CIL language bring improvements to system:

  • the policy store is moved out of /etc
  • there's performance improvements
    • speed-up of SELinux tools like semanage, setsebool
    • reduce of memory peak usage
  • cached SELinux policy module can be overwritten by a module with same name and with higher priority


Scope

  • Proposal owners:
    • prepare SELinux userspace packages with the release 2015-02-02
    • prepare SELinux policy packages with the new store location
    • prepare a migration script for users modifications and modules
  • Other developers:
    • check if their packages contain SELinux modules and put them in the correct place /usr/share/selinux/packages
    • check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering: N/A
  • Policies and guidelines:
    • there's no need to update policies
    • there might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.


How To Test

TBD

  1. update system with libselinux-2.4 release
  2. boot in enforcing mode without more AVCs than before update
  3. try semodule -l
  4. try create a module
    1. e.g. ausearch -m avc -ts boot | audit2allow -M mytestmodule
  5. install it - semodule -i mytestmodule.pp
  6. deinstall it, enable/disable it, see semodule -h


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the previous SELinux userspace project release
  • use the selinux-policy packages with the policy store located in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A

Documentation

Release Notes