From Fedora Project Wiki


SELinux policy store migration

Summary

The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.

Owner

Current status

Detailed Description

SELinux security policy is located in /etc/selinux directory together with configuration files. In Fedora, we use a modular policy. It means the policy is not one large source policy but it can be built from modules. These modules together with a base policy (contains the mandatory information) are compiled, linked and located in a policy store where can be built into a binary format and then loaded into the security server. This binary policy is located in /etc/selinux/<SELINUXTYPE>/policy/policy.29 for example.

The above mentioned policy store is located at

  • /etc/selinux/<SELINUXTYPE>/modules - default for systems that support versions < 2.4 of libsemanage, libsepol, and policycoreutils.
  • /var/lib/selinux/<SELINUXTYPE>/modules - default for systems that support versions >= 2.4 of libsemanage, libsepol, and policycoreutils.

This change builds CIL into libsepol, libsemanage, semodule, semanage to understand CIL and add ability to manage /var/lib/selinux as a new store location. It means this new location only matters if a policy is rebuilt or manipulated.

The new policy store

  • has a new complex structure
  • supports priority of modules
  • the CIL language is used for cached modules
  • original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.

The following options are added by libsepol(v2.4) with CIL support to semanage.conf

store-root = <path>
compiler-directory = <path>
ignore-module-cache = true|false
target-platform = selinux | xen

"store-root" option can be changed from the default /var/lib/selinux to a custom location according to distribution requirements.


Benefit to Fedora

The new store implementation and the CIL language bring improvements to system:

  • the policy store is moved out of /etc
    • can be configured in semanage.conf
store-root = <path>
  • performance improvements
    • reduce of memory peak usage
    • speed-up of SELinux tools like semodule, semanage, setsebool
-- rebuild of policy (rawhide VM) --
CIL: real 0m6.171s
REGULAR: real 0m22.414s

-- SELinux policy load (rawhide VM) --
CIL: systemd[1]: Successfully loaded SELinux policy in 91.886ms.
REGULAR: systemd[1]: Successfully loaded SELinux policy in 172.393ms.
  • cached SELinux policy module can be overwritten by a module with same name and with higher priority
    • readable CIL format vs. compiled policy modules
    • ability to override distribution provided policy!
semodule --priority 100 --install fedora_distro/openstack.pp
semodule --priority 400 --install custom/openstack.pp

Both openstack modules are installed in the policy store, but only the custom openstack module is included in the final kernel binary.

See http://blog-bachradsusi.rhcloud.com/2015/06/05/selinux-modules-priority/


Scope

  • Proposal owners:
    • prepare SELinux userspace packages with the release 2015-02-02
    • prepare SELinux policy packages with the new store location
    • prepare a migration script for users modifications and modules
    • check if all packages containing SELinux modules use the right location
    • check if all SELinux modules used in Fedora packages are compatible with the new SELinux userspace and are convertible to CIL language
  • Other developers:


  • Release engineering: N/A
  • Policies and guidelines:
    • there's no need to update policies
    • there might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.


How To Test

  • Enable plautrba/selinux COPR repo and update selinux-poloicy
# dnf copr enable plautrba/selinux

# dnf update selinux-policy


manually

  • Display list of installed modules
# semodule -l
  • Create a policy module and install it.
# cat mytestmodule.te
policy_module(mytestmodule, 1.0)
require{
 type glusterd_t;
 type smbd_t;
}
allow glusterd_t smbd_t:process signal;

# dnf install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile mytestmodule.pp
# semodule -i mytestmodule.pp
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      pp
  • Try to disable/enable/remove the existing module (see semodule -h).
# semodule -d mytestmodule
# semodule -e mytestmodule
# semodule -r mytestmodule
  • Try to convert compiled policy module to CIL.
# cat mytestmodule.pp | /usr/libexec/selinux/hll/pp > mytestmodule.cil
# cat mytestmodule.cil
(roleattributeset cil_gen_require system_r)
(typeattributeset cil_gen_require glusterd_t)
(typeattributeset cil_gen_require smbd_t)
(allow glusterd_t smbd_t (process (signal)))

# semodule -i mytestmodule.cil
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      cil

using Fedora cloud image and SELinuxPolicyStoreMigration-tests

There is a simple testuite base on beakerlib and virsh available on github. You can find it at https://github.com/bachradsusi/SELinuxPolicyStoreMigration-tests


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the previous SELinux userspace project release
  • use the selinux-policy packages with the policy store located in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A

Documentation

Release Notes