On 01/14/2016 10:58 AM, Petr Lautrbach wrote: > On 01/14/2016 04:37 PM, Jan Pazdziora wrote: >> On Thu, Jan 14, 2016 at 04:05:23PM +0100, Miroslav Grepl wrote: >>> Hi folks, >>> currently yes. Users are not able to manage the SELinux policy on Atomic >>> Hosts because of SELinux policy module store located in /var/lib/selinux >>> and there are no files in this directory after factory reset. >>> >>> See https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details. >>> >>> What is a core problem? >>> >>> Atomic uses RPM-OSTree with empty /var after factory reset. It means >> You mean after running >> >> ostree reset >> >> ? Does it purge /var but not /etc? >> >>> that there are no policy modules stored in /var/lib/selinux. >>> >>> What does it mean? >>> >>> Failing SELinux tools like semanage/semodule if a user tries to >>> manage/change the SELinux policy. >>> >>> https://github.com/cockpit-project/cockpit/issues/3326#issuecomment-166414809 >>> >>> How could we solve it? >>> >>> We introduced a new selinux-policy-atomic package with policy module >>> store moved back to /etc. It needs to be installed together with two >>> changes in configuration files - /etc/selinux/config and >>> /etc/selinux/semanage.conf >>> >>> Our proposed solution is that Atomic would be composed with >>> selinux-policy-atomic instead of selinux-policy-targeted and with >>> changed configuration files. >> Can't semanage/semodule work with a stock (read-only) version in /usr, >> copying things to /var/lib when needed? Having binary content in /etc >> does not sound too nice. >> > SELinux modules store had been in /etc/selinux since it's beginning. The > stored was moved to /var/lib/selinux in Fedora 23 resp in SELinux > Project release release 2015-02-02. selinux-policy-atomic moves it back > as a workaround of the problem with empty /var when RPM-OStree is used. > As it's simple to implement and we already have builds, it's a way to > solve this problem in near future. > > The read-only store in /usr would mean either to duplicate files from > /usr/ to /var on boot; or a non-trivial change in SELinux user space > tools which is probably doable but we don't have any implementation or > proposal of it yet and we need it to be accepted and reviewed by SELinux > project upstream first. > > Petr I think doing a design where content would be searched first in /var/lib/selinux and then fall back to /usr/lib/selinux would be a good compromize solution. This would make it easy for users to be able to get back to the default policy.
rm -rf /var/lib/selinux; load_policy
