[DSE-Dev] Bug#707183: debian-policy: Removal of the FHS exception for the /selinux directory

Steve Langasek vorlon at debian.org
Mon Sep 16 04:13:13 UTC 2013 

On Mon, Sep 16, 2013 at 11:45:48AM +0900, Charles Plessy wrote:
> Dear all,

> do you think it would make sense to remove the FHS exception for the /selinux
> directory in the next version of the Policy ?

> See the attached patch.

Seconded.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

> -- Charles Plessy, Tsurumi, Kanagawa, Japan
> 
> Le Wed, May 08, 2013 at 09:28:57AM +0900, Charles Plessy a écrit :
> > Package: debian-policy
> > Severity: wishlist
> > 
> > Dear all,
> > 
> > in light of the message below, maybe the exception to the FHS for
> > <file>/selinux</file> can be removed from the Policy in the future ?
> > 
> > Cheers
> > 
> > -- Charles
> > 
> > ----- Forwarded message from Laurent Bigonville <bigon at debian.org> -----
> > 
> > Date: Tue, 7 May 2013 16:51:41 +0200
> > From: Laurent Bigonville <bigon at debian.org>
> > To: debian-devel at lists.debian.org
> > Cc: selinux-devel at lists.alioth.debian.org
> > Subject: Removal of the /selinux directory
> > Message-ID: <20130507165141.1bbecac6 at soldur.bigon.be>
> > X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
> > 
> > Hello,
> > 
> > I'm planning to upload a new version of libselinux in unstable
> > soon. This new version is dropping the /selinux directory that was used
> > in the past as the selinuxfs mountpoint.
> > 
> > Since Wheezy, the library is mounting selinuxfs under /sys/fs/selinux,
> > and falling back to /selinux if the former is not available during
> > early boot.
> > 
> > All the selinux userspace tools and libraries should already be aware of
> > this change. If you have packages that directly mount or manipulate
> > the selinuxfs, you should probably check that it use the correct paths
> > (ie. piupart, bug #682068).
> > 
> > I'm intentionally not forcing the migration to the new mountpoint nor
> > forcing the deletion of the directory on upgrade as, in my mind, if a
> > Wheezy machine is still using the old mountpoint that might be for
> > perfectly valid reasons and the package shouldn't touch it.
> > A discussion has already been initiated on the bug report, see: #658070.
> > 
> > Any remark on this?
> > 
> > Cheers
> > 
> > Laurent Bigonville
> > 
> > 
> > 
> > ----- End forwarded message -----

> >From 34425d568113c741aa9f290069c6450d908f954c Mon Sep 17 00:00:00 2001
> From: Charles Plessy <plessy at debian.org>
> Date: Mon, 16 Sep 2013 11:43:02 +0900
> Subject: [PATCH] Policy: Remove the exception to the FHS for the /selinux
>  directory.
> 
> Wording: Charles Plessy <plessy at debian.org>
> Closes: #707183
> ---
>  policy.sgml | 17 ++++++++---------
>  1 file changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/policy.sgml b/policy.sgml
> index 2708242..90ae9fe 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -7021,15 +7021,14 @@ Built-Using: grub2 (= 1.99-9), loadlin (= 1.6e-1)
>  		  stable release of Debian supports <file>/run</file>.
>  		</p>
>  	      </item>
> -              <item>
> -                <p>
> -                  The following directories in the root filesystem are
> -                  additionally allowed: <file>/sys</file> and
> -                  <file>/selinux</file>. <footnote>These directories
> -                  are used as mount points to mount virtual filesystems
> -                  to get access to kernel information.</footnote>
> -                </p>
> -              </item>
> +	      <item>
> +		<p>
> +		  The <file>/sys</file> in the root filesystem is additionally
> +		  allowed. <footnote>This directory is used as mount point to
> +		    mount virtual filesystems to get access to kernel
> +		    information.</footnote>
> +		</p>
> +	      </item>
>  	      <item>
>  		<p>
>  		  On GNU/Hurd systems, the following additional
> -- 
> 1.8.4.rc3
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130915/1cd7728b/attachment-0001.sig>

More information about the SELinux-devel mailing list