From Fedora Project Wiki
No edit summary
Line 21: Line 21:


<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= A new location for SELinux policy module store and CIL languague =  
= A new location for SELinux policy module store =  


== Summary ==
== Summary ==
Line 76: Line 76:
**speed-up for SELinux tools like semanage, setsebool
**speed-up for SELinux tools like semanage, setsebool
**reduces peak memory usage  
**reduces peak memory usage  
*shrinking SELinux policy
<!-- *shrinking SELinux policy
**CIL grammer should allow us to write more effective policy
**CIL grammer should allow us to write more effective policy
**prioritize of project's policies
-->
*prioritize of project's policy modules
    
    
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
Line 85: Line 86:
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** prepare updated SELinux userspace packages
** prepare updated SELinux policy packages with migrated store
** prepare a migration script for users modifications and modules


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
** Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


Line 101: Line 107:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== How To Test ==
== How To Test ==
Line 119: Line 125:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
1. boot in enforcing mode without more AVCs than before update
2. try semodule -l
3. try create a module and install it, deinstall it, enable/disable it


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.


== Dependencies ==
== Dependencies ==
Line 135: Line 143:


== Contingency Plan ==
== Contingency Plan ==
* use the current userspace
* use the current selinux-policy packages


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->

Revision as of 12:18, 27 May 2015


A new location for SELinux policy module store

Summary

These updated SELinux userspace packages together with SELinux policy packages include a change of location of the SELinux module store, which now defaults to /var/lib/selinux/.

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-05-25
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Benefit to Fedora

The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):

  • moving the policy store out of /etc
    • user could easily get back Factory setup by removing a directory out of /etc
  • performance improvements
    • speed-up for SELinux tools like semanage, setsebool
    • reduces peak memory usage
  • prioritize of project's policy modules


Scope

  • Proposal owners:
    • prepare updated SELinux userspace packages
    • prepare updated SELinux policy packages with migrated store
    • prepare a migration script for users modifications and modules
  • Other developers: N/A (not a System Wide Change)
    • Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
    • Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


How To Test

1. boot in enforcing mode without more AVCs than before update 2. try semodule -l 3. try create a module and install it, deinstall it, enable/disable it


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the current userspace
  • use the current selinux-policy packages
  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes