[DSE-Dev] release-notes: Document how to migrate SELinux policies from the old store to the new one

[Niels Thykier]

Control: tags -1 moreinfo

On Wed, 18 Nov 2015 19:36:51 +0100 Laurent Bigonville <bigon at debian.org>
wrote:
> Package: release-notes
> Severity: normal
> User: selinux-devel at lists.alioth.debian.org
> Usertags: selinux
> 
> Hi,
> 
> With the new SELinux userspace 2.4, the policy store has moved from
> /etc/selinux/<policy_name> to /var/lib/selinux/<policy_name> (the format
> of the store has also changed).
> 
> The packages from the refpolicy (selinux-policy-default and
> selinux-policy-mls) should be fixed to automatically migrate the the new
> store (ATM this still need to be done, see #805492)
> 
> We should probably document how to do the migration for the policies
> maintained directly by the users and quickly explain the differences.
> 
> Cheers,
> 
> Laurent Bigonville
> 
> [...]

Hi,

This seems like a good idea.  Unfortunately, I know next to nothing
about this, so I will need some help with writing this.

Some bits that would be helpful to me:

 * What do the admin need to do to perform them migration?

 * Do we have a reference (to upstream) about why this is happening?

 * I assume this is only relevant for people who have installed,
   enabled SELinux AND written their own SELinux policies?
   - Given most probably doesn't, I will add a note so people know that
     they can most likely skip the section.
   - Is the "set sebool" policies also auto-migrated?

 * Can the admin easily check if they need to do something?
   - E.g. do we have a one line shell snippet that can reliably say
    "manual migration needed" ?  (It is fine if we can't, it just
     intended as extra service to the admins)

 * Anything else worth mentioning?
   - Can it be done prior to the upgrade?
   - Must it be performed after upgrade but before reboot?

Thanks,
~Niels