| 1 |
This week I want to remove the pmask of the 2.4 userspace for SELinux. I |
| 2 |
just committed the 2.4_rc5 release (announced today) to the tree for wider |
| 3 |
testing. |
| 4 |
|
| 5 |
The reason for the p.mask is that there is a change to the userspace that |
| 6 |
isn't easily reversible: the location of the policy module store is moved |
| 7 |
from /etc/selinux to /var/lib/selinux. And most importantly, in order to use |
| 8 |
the new userspace, end users will need to call a migration script. |
| 9 |
|
| 10 |
The script is called /usr/libexec/selinux/semanage_migrate_store. I've |
| 11 |
tried to integrate it in the pkg_postinst phase of a package (so that it is |
| 12 |
done automatically) but the SELinux policy does not allow portage_t to move |
| 13 |
and reload the policy module store. |
| 14 |
|
| 15 |
As I don't want to clutter up the policy for just a migration, I currently |
| 16 |
documented it in ewarn's inside the policycoreutils package. However, I am |
| 17 |
aware that this won't be sufficient for end users. |
| 18 |
|
| 19 |
"Forgetting" to migrate does not make the system unstable or unusable, but |
| 20 |
manipulationg the policy module store or operating semanage commands will |
| 21 |
fail. Do you think it is a good idea to work out a news item for this? I'd |
| 22 |
say "yes" but I can live with a "no" as well. |
| 23 |
|
| 24 |
Wkr, |
| 25 |
Sven Vermeulen |
Archives