-
Notifications
You must be signed in to change notification settings - Fork 0
Policy Store Migration
In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/
to /var/lib/selinux/<store>/
. Once the libraries are upgraded, all policy stores must be migrated before any commands that modify or use the store (e.g. semodule, semanage) can be executed.
A script was developed to aid this migration, installed to /usr/libexec/selinux/semanage_migrate_store
by default. This script will copy all necessary module information to the new store location. Once migrated, if the <store>
is the default store, the script will attempt to rebuild and install the store. This rebuild can be disabled with the -n
option. Additionally, by default the script will not remove files from the old store. However, if the -c
option is given, the old module store will be deleted after migration.
In addition to the existing policy modules, the list of files migrated includes:
booleans.local
commit_num
disable_dontaudit
files_contexts.local
interfaces.local
nodes.local
ports.local
preserve_tunables
susers
users_extra.local
users.local
Note that the script can be executed multiple times without error. However, once a store is migrated to the new location, running the script again will skip the old store.
# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux