[DSE-Dev] Bug#805492: refpolicy: Fix the maintainer script to support the new policy store

Laurent Bigonville bigon at debian.org
Sun Dec 6 09:03:45 UTC 2015

clone 805492 -1
retitle -1 refpolicy: Migrate existing store to new store format on upgrade
severity -1 wishlist
tag 805492 + help


So I think we should split this in two issue:

1) make the maintainer script work and install the module in the new store
2) migrate the existing store, for this we could maybe just add 
something in the release notes

For the 1st point, IMHO, the easiest would be to do like fedora and 
install the modules directly in the /var/lib/selinux/<policy>/100 store 
instead of copying/loading them at installation time. We could make it 
clear that everything installed in the priority 100 is something the 
package own that that could removed on upgrade. At installation time we 
would just need to call semodule -B to build and reload the policy.

Any thoughts about installing stuffs like that directly in 
/var/lib/selinux? Any other idea? Should we still install the .pp in 
/usr/share/selinux if we are doing it like that?


Laurent Bigonville

More information about the SELinux-devel mailing list