Policy Store Migration

Steve Lawrence edited this page Aug 15, 2014 · 1 revision

In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/. Once the libraries are upgraded, all policy stores must be migrated before any commands that modify or use the store (e.g. semodule, semanage) can be executed.

A script was developed to aid this migration, installed to /usr/libexec/selinux/semanage_migrate_store by default. This script will copy all necessary module information to the new store location. Once migrated, if the <store> is the default store, the script will attempt to rebuild and install the store. This rebuild can be disabled with the -n option. Additionally, by default the script will not remove files from the old store. However, if the -c option is given, the old module store will be deleted after migration.

In addition to the existing policy modules, the list of files migrated includes:

  • booleans.local
  • commit_num
  • disable_dontaudit
  • files_contexts.local
  • interfaces.local
  • nodes.local
  • ports.local
  • preserve_tunables
  • susers
  • users_extra.local
  • users.local

Note that the script can be executed multiple times without error. However, once a store is migrated to the new location, running the script again will skip the old store.

Example

# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.