selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: [PATCH 04/13] libsemanage: split final files into /

Re: [PATCH 04/13] libsemanage: split final files into /var/lib/selinux/tmp

From: Stephen Smalley <sds_at_nospam>
Date: Fri Jan 08 2010 - 14:30:58 GMT
To: Caleb Case <ccase@tresys.com>


On Wed, 2009-12-23 at 18:25 -0500, Caleb Case wrote:
> This patch moves the final files from inside
> /var/lib/selinux/<store>/[active|previous|tmp] to
> /var/lib/selinux/tmp/<store>. The move is done to facilitate using
> source control management on the /var/lib/selinux/<store> directory. If
> these files remain in /var/lib/selinux/<store> they will pose a size
> problem if an SCM like git is used as we'd be storing lots of binary
> diffs. We are suggesting making this change now, rather than later when
> source policy, SCM, and CIL[1] support are available, to ease the
> migration burden.
>
> These are the files that have been moved:
>
> /var/lib/selinux/<store>/active/... /var/lib/selinux/tmp/<store>/...
>
> file_contexts contexts/files/file_contexts
> file_contexts.homedirs contexts/files/file_contexts.homedirs
> file_contexts.local contexts/files/file_contexts.local
> netfilter_contexts contexts/netfilter_contexts
> policy.kern policy/policy.<policyversion>
> seusers.final seusers
>
> The layout of these files in /var/lib/selinux/tmp/<store> is designed to
> mirror their locations in /etc/selinux/<store>. This should help clarify
> the relationship between these final files and the files installed in
> etc.
>
> One consequence of this move is that reverting to the previous policy
> version requires a policy rebuild. Currently you can revert without
> rebuilding.

That seems a little worrisome to me, as a rebuild might fail, e.g. what happens if we abort a transaction due to a lack of disk space and then try to revert, requiring a rebuild, only to run out of space during the rebuild? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.