[PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions

Fri, 20 Nov 2009 10:47:13 -0800 

Hi folks,

        The report #556972 was filed about a FHS violation in mounting
 selinuxfs on /selinux, which is accurate. Additionally, /sys does not
 appear in the FHS either, and is thus in a similar situation. 

        Now, I can move the mount point in libselinux1, perhals to
 /lib/sellinux, but that would make us incompatible with other
 installations, and cause a large number of needless conflict with
 currently installed SELinux. Here is the backgound:

 1) There are a lot of instances of programs looking things up in
    selinuxfs (indirectly through libselinux). Most of these instances
    look through /proc/mounts to discover where selinuxfs is mounted,
    and thus do not care about the actual location
 2) sysvinit (and upstart, if the patch is accepted) load the security
    policy for machines where SELinux is enabled, and need to mount
    selinuxfs to get details of the state of selinux in the
    kernel. Since /proc is not around when this happens, this is the one
    place where the distribution default od the selinuxfs mount point is
    hard coded.
 3) The default for fedora, gentoo, and Debian has been /selinux
 4) Lots of people have also setup /etc/fstab to mount selinuxfs on
    /selinux
 5) there are user scripts that assume they can look into /selinux on
    SELinux enabled machines, and this is a lot of things to change

This patch explicitly allows /sys and /selinux as additional
directories int he root file system allowed under the policy.

Signed-off-by: Manoj Srivastava <sriva...@debian.org>
---
 policy.sgml |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/policy.sgml b/policy.sgml
index 34a45d5..b8b97f4 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -5638,6 +5638,15 @@ libbar 1 bar1 (>= 1.0-1)
                   symlinked there, is relaxed to a recommendation.
                 </p>
               </item>
+              <item>
+                <p>
+                  The following directories in the root filesystem are
+                  additionally allowed: <file>/sys</file> and
+                  <file>/selinux</file>. <footnote>These directories
+                  are used as mount points to mount virtual filesystems
+                  to get access to kernel information.</footnote>
+                </p>
+              </item>
             </enumlist>
 
           </p>
-- 
1.6.5.3


-- 
To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to