In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy module store was moved from /etc/selinux/<store>/modules/ to /var/lib/selinux/<store>/. Once the libraries are upgraded, all policy stores must be migrated before any commands that modify or use the store (e.g. semodule, semanage) can be executed.

A script was developed to aid this migration, installed to /usr/libexec/selinux/semanage_migrate_store by default. This script will copy all necessary module information to the new store location. Once migrated, if the <store> is the default store, the script will attempt to rebuild and install the store. This rebuild can be disabled with the -n option. Additionally, by default the script will not remove files from the old store. However, if the -c option is given, the old module store will be deleted after migration.

In addition to the existing policy modules, the list of files migrated includes:

• booleans.local
• commit_num
• disable_dontaudit
• files_contexts.local
• interfaces.local
• nodes.local
• ports.local
• preserve_tunables
• susers
• users_extra.local
• users.local

Note that the script can be executed multiple times without error. However, once a store is migrated to the new location, running the script again will skip the old store.

# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux