Le 29/02/16 03:46, Russell Coker a écrit :
On Mon, 29 Feb 2016 02:47:04 AM Laurent Bigonville wrote:
Le 28/02/16 11:05, Russell Coker a écrit :
the easiest would be to do like fedora and install the modules directly
in the /var/lib/selinux/<policy>/100 store instead of copying/loading
them at installation time
Do you mean having files in the package under /var/lib? If so that seems
like a FHS violation. Why not just keep them under /usr/share/selinux
and symlink them?
There are a lot of packages that ships files in /var/lib.
I'm sure that you can find many ways in which there are a lot of broken
packages in Debian or in any other distribution. That said if we have a
strong precedent in Debian for doing things a certain way it is an argument
for doing more of the same.
Are you sure you are not thinking about /var/run?
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
# State information. Persistent data modified by programs as they run, e.g.,
# databases, packaging system metadata, etc.
The above section from the above URL suggests that package maintained files
aren't suitable.
The description of /usr is:
# Secondary hierarchy for read-only user data; contains the majority of
# (multi-)user utilities and applications.
For /usr/share it says:
# Architecture-independent (shared) data.
I think that /usr/share is the best place for it. If /var/lib has symlinks
into /usr/share then files which aren't changed can be replaced by a package
upgrade while files that are modified by utilities can stay modified.
Well one could argue that the store is "Persistent data modified by
programs as they run" and that we set defaults for this store by
installing files from the package.
The new store format is actually the following:
/var/lib/selinux/<policy_name>/100/... << modules shipped by the
distribution
/var/lib/selinux/<policy_name>/400/... << modules loaded by the user
using semodules (the priority can be changed on the cmd line)
So by default the user shouldn't interfere with the files we are
shipping, we could add a warning in the NEWS or README file to warn the
user about this.
BTW, the files in this new store are not in the same format (HLL) as the
(.pp) files shipped currently in /usr/lib/selinux, they are processed by
a "compiler" (/usr/lib/selinux/hll/pp) and stored in the CIL format in
/var/lib/selinux/<policy_name>/..., so we cannot simply link the files
from /usr/share/selinux to /var/lib/selinux
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
