In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from/etc/selinux/<store>/modules/ to/var/lib/selinux/<store>/. Once the libraries are upgraded, all policy stores must be migrated before any commands that modify or use the store (e.g. semodule, semanage) can be executed.

A script was developed to aid this migration, installed to/usr/libexec/selinux/semanage_migrate_store by default. This script will copy all necessary module information to the new store location. Once migrated, if the<store> is the default store, the script will attempt to rebuild and install the store. This rebuild can be disabled with the-n option. Additionally, by default the script will not remove files from the old store. However, if the-c option is given, the old module store will be deleted after migration.

In addition to the existing policy modules, the list of files migrated includes:

• booleans.local
• commit_num
• disable_dontaudit
• files_contexts.local
• interfaces.local
• nodes.local
• ports.local
• preserve_tunables
• susers
• users_extra.local
• users.local

Note that the script can be executed multiple times without error. However, once a store is migrated to the new location, running the script again will skip the old store.

# /usr/libexec/selinux/semanage_migrate_storeMigrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/activeAttempting to rebuild policy from /var/lib/selinux