Re: F40 Change Proposal: Move /var/run selinux-policy entries to /run (Self-Contained)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Prior art in https://github.com/fedora-selinux/selinux-policy/pull/243 for reference

Christian Glombek (he/him)

Senior Software Engineer

Red Hat GmbH

cglombek@xxxxxxxxxx

Red Hat GmbH, Registered seat: Werner-von-Siemens-Ring 12, D-85630 Grasbrunn, Germany  
Commercial register: Amtsgericht München/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross 


On Sun, Dec 24, 2023 at 3:52 PM Aoife Moloney <amoloney@xxxxxxxxxx> wrote:
wiki -> https://fedoraproject.org/wiki/Changes/Move_var_run_selinux_policy_entries_to_run

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
Actual path for system runtime files moved from /var/run to /run some
10 years ago [1], but the policy has been managed since then in a way
that keeps the old entries and have updates still with the incorrect
path while the real path is handled by file equivalency feature. This
can confuse sysadmins not to be sure which path should be actually
used and can also effect in userspace tools not working properly [2].

[1] https://fedoraproject.org/wiki/Features/UsrMove

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2241366

== Owner ==
* Name: Zdenek Pytela
* Email: zpytela@xxxxxxxxxx


== Detailed Description ==
The change actually means just replacing "/run = /var/run"
file-context equivalency rules with "/var/run = /run". While the
change as such is quite simple, it can have effect on other components
using their own selinux policy with file-context entries.

== Feedback ==

== Benefit to Fedora ==
Removing technical debt which originated 10 years ago.
More straightforward handling of file-context entries in the /run filesystem.


== Scope ==
* Proposal owners:
** Add all relevant patches to upstream repository
** Ensure the system boots with the targeted policy
** Ensure the system boots with the mls policy
** Ensure updates from older releases work, more specifically with
custom selinux packages installed.

* Other developers:
** Developers of custom selinux policies need to confirm system updates work.

* Release engineering: [https://pagure.io/releng/issues #Releng issue
number] (a check of an impact with Release Engineering is needed)

* Policies and guidelines: No update required.

* Trademark approval: N/A (not needed for this Change)

* Alignment with Objectives:


== Upgrade/compatibility impact ==
Users can be affected by this change if they use a local policy with
file-context entries in /run which occurs quite rarely, but is
possible.



== How To Test ==
* Install a new system and check for error messages and audit records.
* Update an existing system and check if all updates completed without an error.
* Optionally, install and boot the selinux-policy-mls package.
* Check for errors reported by dnf or rpm.



== User Experience ==
There should be no visible change for end users.

The change should be transparent, without any further action needed on
the system. System admins may need to take an action based on
compatibility with the changes.


== Dependencies ==
Components with a custom selinux policy: container-selinux pcp cockpit

== Contingency Plan ==
* Contingency mechanism: Revert all changes in case of serious
problems with updates.
* Contingency deadline: 2024-02-06 (Branch Fedora Linux 40 from Rawhide)
* Blocks release? No
* Blocks product? No

== Documentation ==
To be added later.

== Release Notes ==



--
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux