[DSE-Dev] Bug#805492: /var/lib

Laurent Bigonville bigon at debian.org
Tue Mar 8 17:40:47 UTC 2016 

Le 29/02/16 03:46, Russell Coker a écrit :
> On Mon, 29 Feb 2016 02:47:04 AM Laurent Bigonville wrote:
>> Le 28/02/16 11:05, Russell Coker a écrit :
>>>> the easiest would be to do like fedora and install the modules directly
>>>> in the /var/lib/selinux/<policy>/100 store instead of copying/loading
>>>> them at installation time
>>> Do you mean having files in the package under /var/lib?  If so that seems
>>> like a FHS violation.  Why not just keep them under /usr/share/selinux
>>> and symlink them?
>> There are a lot of packages that ships files in /var/lib.
> I'm sure that you can find many ways in which there are a lot of broken
> packages in Debian or in any other distribution.  That said if we have a
> strong precedent in Debian for doing things a certain way it is an argument
> for doing more of the same.
>
>> Are you sure you are not thinking about /var/run?
> https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
>
> # State information. Persistent data modified by programs as they run, e.g.,
> # databases, packaging system metadata, etc.
>
> The above section from the above URL suggests that package maintained files
> aren't suitable.
>
> The description of /usr is:
> # Secondary hierarchy for read-only user data; contains the majority of
> # (multi-)user utilities and applications.
>
> For /usr/share it says:
> # Architecture-independent (shared) data.
>
> I think that /usr/share is the best place for it.  If /var/lib has symlinks
> into /usr/share then files which aren't changed can be replaced by a package
> upgrade while files that are modified by utilities can stay modified.
>
Well one could argue that the store is "Persistent data modified by 
programs as they run" and that we set defaults for this store by 
installing files from the package.

The new store format is actually the following:

/var/lib/selinux/<policy_name>/100/... << modules shipped by the 
distribution
/var/lib/selinux/<policy_name>/400/... << modules loaded by the user 
using semodules (the priority can be changed on the cmd line)

So by default the user shouldn't interfere with the files we are 
shipping, we could add a warning in the NEWS or README file to warn the 
user about this.

BTW, the files in this new store are not in the same format (HLL) as the 
(.pp) files shipped currently in /usr/lib/selinux, they are processed by 
a "compiler" (/usr/lib/selinux/hll/pp) and stored in the CIL format in 
/var/lib/selinux/<policy_name>/..., so we cannot simply link the files 
from /usr/share/selinux to /var/lib/selinux

More information about the SELinux-devel mailing list