* [gentoo-hardened] SELinux userspace 2.4 requires your attention
@ 2014-10-29 17:47 Sven Vermeulen
0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2014-10-29 17:47 UTC (permalink / raw
To: gentoo-hardened
This week I want to remove the pmask of the 2.4 userspace for SELinux. I
just committed the 2.4_rc5 release (announced today) to the tree for wider
testing.
The reason for the p.mask is that there is a change to the userspace that
isn't easily reversible: the location of the policy module store is moved
from /etc/selinux to /var/lib/selinux. And most importantly, in order to use
the new userspace, end users will need to call a migration script.
The script is called /usr/libexec/selinux/semanage_migrate_store. I've
tried to integrate it in the pkg_postinst phase of a package (so that it is
done automatically) but the SELinux policy does not allow portage_t to move
and reload the policy module store.
As I don't want to clutter up the policy for just a migration, I currently
documented it in ewarn's inside the policycoreutils package. However, I am
aware that this won't be sufficient for end users.
"Forgetting" to migrate does not make the system unstable or unusable, but
manipulationg the policy module store or operating semanage commands will
fail. Do you think it is a good idea to work out a news item for this? I'd
say "yes" but I can live with a "no" as well.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-10-29 17:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-29 17:47 [gentoo-hardened] SELinux userspace 2.4 requires your attention Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox