1 |
This week I want to remove the pmask of the 2.4 userspace for SELinux. I |
2 |
just committed the 2.4_rc5 release (announced today) to the tree for wider |
3 |
testing. |
4 |
|
5 |
The reason for the p.mask is that there is a change to the userspace that |
6 |
isn't easily reversible: the location of the policy module store is moved |
7 |
from /etc/selinux to /var/lib/selinux. And most importantly, in order to use |
8 |
the new userspace, end users will need to call a migration script. |
9 |
|
10 |
The script is called /usr/libexec/selinux/semanage_migrate_store. I've |
11 |
tried to integrate it in the pkg_postinst phase of a package (so that it is |
12 |
done automatically) but the SELinux policy does not allow portage_t to move |
13 |
and reload the policy module store. |
14 |
|
15 |
As I don't want to clutter up the policy for just a migration, I currently |
16 |
documented it in ewarn's inside the policycoreutils package. However, I am |
17 |
aware that this won't be sufficient for end users. |
18 |
|
19 |
"Forgetting" to migrate does not make the system unstable or unusable, but |
20 |
manipulationg the policy module store or operating semanage commands will |
21 |
fail. Do you think it is a good idea to work out a news item for this? I'd |
22 |
say "yes" but I can live with a "no" as well. |
23 |
|
24 |
Wkr, |
25 |
Sven Vermeulen |