From Fedora Project Wiki


SELinux policy store migration

Summary

SELinux userspace packages release 2015-02-02 includes a change of location of the SELinux policy store, which defaults to /var/lib/selinux/.

Owner

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-09
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In version 2.4 of libsemanage, libsepol, and policycoreutils, the SELinux policy store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/.

The new policy store

  • has a new structure
  • supports priority for modules
  • the CIL language is used for cached modules
  • original modules in pp format are converted using HLL compiler in /usr/libexec/selinux/hll/ to CIL language


Benefit to Fedora

The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):

  • moving the policy store out of /etc
    • user could easily get back Factory setup by removing a directory out of /etc
  • performance improvements
    • speed-up for SELinux tools like semanage, setsebool
    • reduces peak memory usage
  • prioritize of project's policy modules


Scope

  • Proposal owners:
    • prepare updated SELinux userspace packages
    • prepare updated SELinux policy packages with migrated store
    • prepare a migration script for users modifications and modules
  • Other developers:
    • Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
    • Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
  • Release engineering:
  • Policies and guidelines:there's no need to update policies. There might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default


How To Test

  1. update system with libselinux-2.4 release
  2. boot in enforcing mode without more AVCs than before update
  3. try semodule -l
  4. try create a module
    1. e.g. ausearch -m avc -ts boot | audit2allow -M mytestmodule
  5. install it - semodule -i mytestmodule.pp
  6. deinstall it, enable/disable it, see semodule -h


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the current userspace
  • use the selinux-policy packages with the module store in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A

Documentation

Release Notes