Bug 761620 – SELinux policy handling

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 761620 - SELinux policy handling


Summary:	SELinux policy handling


Status:	RESOLVED NOTGNOME

Product:	ostree
Classification:	Infrastructure
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	OSTree maintainer(s)
QA Contact:	OSTree maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-02-06 09:41 UTC by Colin Walters
Modified:	2017-07-21 15:36 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Colin Walters 2016-02-06 09:41:37 UTC

OSTree basically encourages systems to move away from %post for systems management tasks.  However, SELinux policy is very special as it gets loaded in the initramfs.

We need to recompile the policy after creating a new deployment.  This will actually need to involve using e.g. systemd-nspawn -D /path/to/new-deployment semodule.

Comment 1 Colin Walters 2016-02-29 20:29:29 UTC

Need to work out:

 - Can we detect "is the policy changed"?  Probably cmp /{usr/,}etc/selinux/targeted/policy/policy.29 - but is there an API for that?

 - Can we efficiently detect the case where on upgrade, the base policy version didn't change, so we don't need to recompile, and just propagate forward our modified policy from /etc?

Comment 2 Colin Walters 2016-02-29 21:11:22 UTC

http://marc.info/?l=selinux&m=145677940526857&w=2

Comment 3 Colin Walters 2017-07-21 15:36:20 UTC

Migrating to https://github.com/ostreedev/ostree/issues/1026