Ivan Gyurdiev wrote:
I think moving the local files into the sandbox upon policy update (via %post scriptlet in the policy package) is reasonable, as this is only needed for migration and will not be done subsequently.I guess at that point we also want to migrate booleans.local, local.users, and install the base module?Dan, can you add such a script? - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
fine
- copy /etc/selinux/?/local.users into /etc/selinux/?/modules/active/users.local [ renamed ]this could potentially be done the same way as booleans below, except that there isn't a user of the user api in libsemanage yet, so that would be written; with seuser handling the vast majority of users now this isn't very high priority.
- copy /etc/selinux/?/booleans.local into /etc/selinux/?/modules/active/booleans.localnot sure about this. It would not be difficult to read the old booleans file and pipe the info through setsebool -p.
- install base module into /etc/selinux/?/modules/active/base.pp (is this managed by rpm?)the base.pp will be placed in /usr/share/selinux and then be installed via semodule -b.
Yes. But we need to avoid breaking use of semodule -b now via this patch until such a time as the seusers support is in place, so possibly I should just change the error handling here to just WARN and proceed with the reload.Hmm... that sounds reasonable... I think.
Not even sure a warn is necessary IMO, read other response. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.