[DSE-Dev] release-notes: Document how to migrate SELinux policies from the old store to the new one
niels at thykier.net
Sat Apr 29 08:54:00 UTC 2017
Control: tags -1 moreinfo
On Wed, 18 Nov 2015 19:36:51 +0100 Laurent Bigonville <bigon at debian.org>
> Package: release-notes
> Severity: normal
> User: selinux-devel at lists.alioth.debian.org
> Usertags: selinux
> With the new SELinux userspace 2.4, the policy store has moved from
> /etc/selinux/<policy_name> to /var/lib/selinux/<policy_name> (the format
> of the store has also changed).
> The packages from the refpolicy (selinux-policy-default and
> selinux-policy-mls) should be fixed to automatically migrate the the new
> store (ATM this still need to be done, see #805492)
> We should probably document how to do the migration for the policies
> maintained directly by the users and quickly explain the differences.
> Laurent Bigonville
This seems like a good idea. Unfortunately, I know next to nothing
about this, so I will need some help with writing this.
Some bits that would be helpful to me:
* What do the admin need to do to perform them migration?
* Do we have a reference (to upstream) about why this is happening?
* I assume this is only relevant for people who have installed,
enabled SELinux AND written their own SELinux policies?
- Given most probably doesn't, I will add a note so people know that
they can most likely skip the section.
- Is the "set sebool" policies also auto-migrated?
* Can the admin easily check if they need to do something?
- E.g. do we have a one line shell snippet that can reliably say
"manual migration needed" ? (It is fine if we can't, it just
intended as extra service to the admins)
* Anything else worth mentioning?
- Can it be done prior to the upgrade?
- Must it be performed after upgrade but before reboot?
More information about the SELinux-devel