Details: https://fedoraproject.org/wiki/SELinux/Changes/Move_var_run_selinux_policy_entries_to_run
This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. Move /var/run selinux-policy entries to /run Summary Actual path for system runtime files moved from /var/run to /run some 10 years ago [1], but the policy has been managed since then in a way that keeps the old entries and have updates still with the incorrect path while the real path is handled by file equivalency feature. This can confuse sysadmins not to be sure which path should be actually used and can also effect in userspace tools not working properly [2]. [1] https://fedoraproject.org/wiki/Features/UsrMove [2] https://bugzilla.redhat.com/show_bug.cgi?id=2241366 Owner Name: Zdenek Pytela Email: zpyt...@redhat.com Current status Targeted release: Fedora 40 Last updated: 2023-12-20 FESCo issue: <will be assigned by the Wrangler> Tracker bug: <will be assigned by the Wrangler> Release notes tracker: <will be assigned by the Wrangler> Detailed Description The change actually means just replacing "/run = /var/run" file-context equivalency rules with "/var/run = /run". While the change as such is quite simple, it can have effect on other components using their own selinux policy with file-context entries. Benefit to Fedora Removing technical debt which originated 10 years ago. More straightforward handling of file-context entries in the /run filesystem. Scope Proposal owners: Add all relevant patches to upstream repository Ensure the system boots with the targeted policy Ensure the system boots with the mls policy Ensure updates from older releases work, more specifically with custom selinux packages installed. Other developers: Developers of custom selinux policies need to confirm system updates work. Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed) Policies and guidelines: No update required. Trademark approval: N/A (not needed for this Change) Alignment with Objectives: Upgrade/compatibility impact Users can be affected by this change if they use a local policy with file-context entries in /run. How To Test Install a new system and check for error messages and audit records. Update an existing system and check if all updates completed without an error. Optionally, install and boot the selinux-policy-mls package. User Experience There should be no visible change for end users. The change should be transparent, without any further action needed on the system. System admins may need to take an action based on compatibility with the changes. Contingency Plan Contingency mechanism: Revert all changes in case of serious problems with updates. Contingency deadline: 2024-02-06 (Branch Fedora Linux 40 from Rawhide) Blocks release? No Blocks product? No Documentation To be added later. -- Zdenek Pytela Security SELinux team
-- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
