projects

Fedora change - SELinux policy store migration

https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration

SELinux userspace update

prepare builds

https://copr.fedoraproject.org/coprs/plautrba/selinux

secilc package

migrate script

1. find non-distribution modules
2. migrate them to the new store using semodule -i
3. rebuild and reload policy

tests

use virtual host

1. setup virtual host, e.g. Fedora cloud according to http://www.projectatomic.io/docs/quickstart/ chapter "Logging In To Your Atomic Machine"

   for a static network configuration you can use

   $ cat meta-data 
   instance-id: id-fedora-cloud
   local-hostname: fedora-cloud
   network-interfaces: |
     iface eth0 inet static
     address 192.168.122.41
     network 192.168.122.0
     netmask 255.255.255.0
     broadcast 192.168.122.255
     gateway 192.168.122.1

2. download https://plautrba.fedorapeople.org/selinux/tests-covering-SELinuxPolicyStoreMigration-change/

3. make run

simple update test

0. disable random module, set random variable, make random login change
1. check set of modules, booleans, users, ... in distribution package
2. update selinux-policy-targeted package
3. check if userspace packages are updated
4. check if SELinux state is same as before update
5. same but update userspace and check if selinux-policy is updated

update test with local modification

1. create and install a module
2. previous 2. - 5.

install and update from selinux=0

1. set SELinux disabled
2. install/update packages
3. try reboot and do sanity checks

export and import modifications

1. semanage export -f semanage.mods
2. update
3. check if modifications persists
4. try import modifications

selinux-policy packages with migrated store

tests

CIL rewrite

rewrite tools to support CIL

SELinux integration

abrt

anaconda

cockpit

desktops