selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: [PATCH 13/13] semanage store migration script

Re: [PATCH 13/13] semanage store migration script

From: James Carter <jwcart2_at_nospam>
Date: Fri Jan 08 2010 - 20:59:36 GMT
To: Stephen Smalley <>

On Fri, 2010-01-08 at 10:34 -0500, Stephen Smalley wrote:
> On Wed, 2009-12-23 at 18:26 -0500, Caleb Case wrote:
> > We created a migration script to ease the burden of transition from the
> > old libsemanage store layout to the new. The script will detect all the
> > stores in /etc/selinux using the old layout and convert them to the new
> > layout in /var/lib/selinux. It also allows you to specify the default
> > priority to use with -p and store to operate on with -s. After migration
> > the script by default will leave the old store unchanged, but can be
> > told to remove the old modules directory with -c.
> >
> > Examples:
> >
> > # Migrate all stores to the new layout.
> >
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
> >
> > # Migrate only the targeted store.
> > -s targeted
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
> >
> > # Migrate all, but install to priority 150.
> > -p 150
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
> I tried the following:
> semanage login -a -s user_u pi
> cp -a /etc/selinux /etc/selinux.orig
> install new userland
> diff -ru /etc/selinux.orig /etc/selinux
> The seusers entry for "pi" was dropped from the final seusers file in
> the rebuilt policy.

I saw the same thing. I added a new login, but it does not show up after the migration with "semanage login -l" even though it is in /var/lib/selinux/targeted/active/seusers and

booleans, ports, file contexts, and permissive domains all show up after the migration, but there are some other issues.

  1. For booleans I am getting this error:

# semanage boolean --on git_system_use_cifs Traceback (most recent call last):
  File "/usr/sbin/semanage", line 460, in <module>     process_args(sys.argv[1:])
  File "/usr/sbin/semanage", line 407, in process_args     raise ValueError(_("Invalid command") % " ".join(argv)) TypeError: not all arguments converted during string formatting

2) Either the priority stuff doesn't work or I am doing something wrong. Shouldn't either of the following not display any modules since they are all at priority 100?

"semodule -p 900 -l" or "semodule -p 900; semodule -l"

Both display all modules.

3) I can't remove the permissive domain created before the migration because the default priority level is 400, but the script put everything at priority 100 and I don't know how to change the priority for semanage.

# semanage permissive -d httpd_t
libsemanage.semanage_direct_remove_key: Unable to remove module directory /var/lib/selinux/targeted/tmp/modules/400/permissive_httpd_t. (No such file or directory).
/usr/sbin/semanage: Could not remove permissive domain httpd_t (remove failed)

Ports and file contexts addition and removal seems to work fine. -- James Carter <> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.