This week I want to remove the pmask of the 2.4 userspace for SELinux. I
just committed the 2.4_rc5 release (announced today) to the tree for wider
testing.
The reason for the p.mask is that there is a change to the userspace that
isn't easily reversible: the location of the policy module store is moved
from /etc/selinux to /var/lib/selinux. And most importantly, in order to use
the new userspace, end users will need to call a migration script.
The script is called /usr/libexec/selinux/semanage_migrate_store. I've
tried to integrate it in the pkg_postinst phase of a package (so that it is
done automatically) but the SELinux policy does not allow portage_t to move
and reload the policy module store.
As I don't want to clutter up the policy for just a migration, I currently
documented it in ewarn's inside the policycoreutils package. However, I am
aware that this won't be sufficient for end users.
"Forgetting" to migrate does not make the system unstable or unusable, but
manipulationg the policy module store or operating semanage commands will
fail. Do you think it is a good idea to work out a news item for this? I'd
say "yes" but I can live with a "no" as well.
Wkr,
Sven Vermeulen
