From Fedora Project Wiki

< Changes

Revision as of 15:41, 10 June 2015 by Plautrba (talk | contribs)

SELinux policy store migration


The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.


Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-10
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In the SELinux userspace project release 2015-02-02, the SELinux policy store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.

The new policy store

  • has a new complex structure
  • supports priority of modules
  • the CIL language is used for cached modules
  • original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.

Benefit to Fedora

The new store implementation and the CIL language bring improvements to system:

  • the policy store is moved out of /etc
  • there's performance improvements
    • speed-up of SELinux tools like semanage, setsebool
    • reduce of memory peak usage
  • cached SELinux policy module can be overwritten by a module with same name and with higher priority


  • Proposal owners:
    • prepare SELinux userspace packages with the release 2015-02-02
    • prepare SELinux policy packages with the new store location
    • prepare a migration script for users modifications and modules
  • Other developers:
    • check if their packages contain SELinux modules and put them in the correct place /usr/share/selinux/packages
    • check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering: N/A
  • Policies and guidelines:
    • there's no need to update policies
    • there might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.

How To Test


  1. update system with libselinux-2.4 release
  2. boot in enforcing mode without more AVCs than before update
  3. try semodule -l
  4. try create a module
    1. e.g. ausearch -m avc -ts boot | audit2allow -M mytestmodule
  5. install it - semodule -i mytestmodule.pp
  6. deinstall it, enable/disable it, see semodule -h

User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.


N/A (not a System Wide Change)

Contingency Plan

  • use the previous SELinux userspace project release
  • use the selinux-policy packages with the policy store located in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A


Release Notes