From Fedora Project Wiki
 
Line 26: Line 26:
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
  
These updated SELinux userspace packages together with SELinux policy packages include a change of location of the SELinux module store, which now defaults to /var/lib/selinux/.
+
Updated SELinux userspace packages together with SELinux policy packages include a change of location of the SELinux module store, which now defaults to /var/lib/selinux/. The new store supports priority for modules and changes fromat from .pp to CIL language
  
 
== Owner ==
 
== Owner ==
Line 50: Line 50:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/23 | Fedora 23 ]]  
 
* Targeted release: [[Releases/23 | Fedora 23 ]]  
* Last updated: 2015-05-25
+
* Last updated: 2015-06-09
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
Bugzilla states meaning as usual:
 
Bugzilla states meaning as usual:
Line 63: Line 63:
 
== Detailed Description ==
 
== Detailed Description ==
  
 
+
The new store supports priority for modules and changes fromat from .pp to CIL language.
  
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Line 144: Line 144:
 
== Contingency Plan ==
 
== Contingency Plan ==
 
* use the current userspace
 
* use the current userspace
* use the current selinux-policy packages
+
* use the selinux-policy packages with the module store in /etc/selinux
  
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
Line 156: Line 156:
 
== Documentation ==
 
== Documentation ==
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 +
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->

Latest revision as of 11:18, 9 June 2015


A new location for SELinux policy module store

Summary

Updated SELinux userspace packages together with SELinux policy packages include a change of location of the SELinux module store, which now defaults to /var/lib/selinux/. The new store supports priority for modules and changes fromat from .pp to CIL language

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-09
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The new store supports priority for modules and changes fromat from .pp to CIL language.


Benefit to Fedora

The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):

  • moving the policy store out of /etc
    • user could easily get back Factory setup by removing a directory out of /etc
  • performance improvements
    • speed-up for SELinux tools like semanage, setsebool
    • reduces peak memory usage
  • prioritize of project's policy modules


Scope

  • Proposal owners:
    • prepare updated SELinux userspace packages
    • prepare updated SELinux policy packages with migrated store
    • prepare a migration script for users modifications and modules
  • Other developers: N/A (not a System Wide Change)
    • Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
    • Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


How To Test

1. boot in enforcing mode without more AVCs than before update 2. try semodule -l 3. try create a module and install it, deinstall it, enable/disable it


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the current userspace
  • use the selinux-policy packages with the module store in /etc/selinux
  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes