Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions

To: debian-policy@lists.debian.org
Subject: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
From: Steve Langasek <vorlon@debian.org>
Date: Sun, 22 Nov 2009 14:58:30 -0600
Message-id: <20091122205830.GA16652@dario.dodds.net>
Mail-followup-to: debian-policy@lists.debian.org
In-reply-to: <1258742030-25355-1-git-send-email-srivasta@debian.org>
References: <1258742030-25355-1-git-send-email-srivasta@debian.org>

On Fri, Nov 20, 2009 at 12:33:50PM -0600, Manoj Srivastava wrote:
> Hi folks,

>         The report #556972 was filed about a FHS violation in mounting
>  selinuxfs on /selinux, which is accurate. Additionally, /sys does not
>  appear in the FHS either, and is thus in a similar situation. 

>         Now, I can move the mount point in libselinux1, perhals to
>  /lib/sellinux, but that would make us incompatible with other
>  installations, and cause a large number of needless conflict with
>  currently installed SELinux. Here is the backgound:

Wouldn't it make more sense to expose this as a subdirectory of /sys rather
than /lib, since this appears to be a kernel interface?

Why didn't SELinux upstream engage with the FHS, to standardize on something
consistent with the FHS's overall design and guard against such migration
concerns in the first place?

>  2) sysvinit (and upstart, if the patch is accepted) load the security
>     policy for machines where SELinux is enabled, and need to mount
>     selinuxfs to get details of the state of selinux in the
>     kernel. Since /proc is not around when this happens, this is the one
>     place where the distribution default od the selinuxfs mount point is
>     hard coded.

So the one place which hard-codes the mount point is init; but only sysvinit
has this patch, and we have an upcoming transition away from sysvinit to
upstart.  And my understanding is that upstart upstream disagrees with the
principle of hard-coding a particular LSM into init when an initramfs works
just as well - and within the initramfs, things can mount selinuxfs anywhere
they choose, if they unmount again later.

That doesn't sound to me like a major obstacle for a transition in any case,
then?

>  3) The default for fedora, gentoo, and Debian has been /selinux

Where does Red Hat place theirs?

(Incidentally, shouldn't there be a minimum comment period on Policy
proposals?  The seconding requirements are intended to ensure there's
consensus on the change, but this seems to have gone straight to 'pending'
status without much deliberation.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
  - From: Bastian Blank <waldi@debian.org>

References:
- [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Üç ayda İngilizce konuşmak istiyor musunuz?
Next by Date: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
Previous by thread: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
Next by thread: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
Index(es):
- Date
- Thread