Prior art in https://github.com/fedora-selinux/selinux-policy/pull/243 for reference
Christian Glombek (he/him) Senior Software Engineer Red Hat GmbH <https://www.redhat.com/> <https://www.google.com/maps/place/Engeldamm+64b,+10179+Berlin/@52.5058176,13.4191433,17z/data=!3m1!4b1!4m5!3m4!1s0x47a84e30d99f7f43:0xe6059fb480bfd85c!8m2!3d52.5058176!4d13.421332> cglom...@redhat.com <akoll...@redhat.com> <https://red.ht/sig> Red Hat GmbH <https://www.redhat.com/de/global/dach>, Registered seat: Werner-von-Siemens-Ring 12, D-85630 Grasbrunn, Germany Commercial register: Amtsgericht München/Munich, HRB 153243, Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross <https://www.redhat.com/de/global/dach> <https://www.redhat.com/de/global/dach> On Sun, Dec 24, 2023 at 3:52 PM Aoife Moloney <amolo...@redhat.com> wrote: > wiki -> > https://fedoraproject.org/wiki/Changes/Move_var_run_selinux_policy_entries_to_run > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > Actual path for system runtime files moved from /var/run to /run some > 10 years ago [1], but the policy has been managed since then in a way > that keeps the old entries and have updates still with the incorrect > path while the real path is handled by file equivalency feature. This > can confuse sysadmins not to be sure which path should be actually > used and can also effect in userspace tools not working properly [2]. > > [1] https://fedoraproject.org/wiki/Features/UsrMove > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2241366 > > == Owner == > * Name: Zdenek Pytela > * Email: zpyt...@redhat.com > > > == Detailed Description == > The change actually means just replacing "/run = /var/run" > file-context equivalency rules with "/var/run = /run". While the > change as such is quite simple, it can have effect on other components > using their own selinux policy with file-context entries. > > == Feedback == > > == Benefit to Fedora == > Removing technical debt which originated 10 years ago. > More straightforward handling of file-context entries in the /run > filesystem. > > > == Scope == > * Proposal owners: > ** Add all relevant patches to upstream repository > ** Ensure the system boots with the targeted policy > ** Ensure the system boots with the mls policy > ** Ensure updates from older releases work, more specifically with > custom selinux packages installed. > > * Other developers: > ** Developers of custom selinux policies need to confirm system updates > work. > > * Release engineering: [https://pagure.io/releng/issues #Releng issue > number] (a check of an impact with Release Engineering is needed) > > * Policies and guidelines: No update required. > > * Trademark approval: N/A (not needed for this Change) > > * Alignment with Objectives: > > > == Upgrade/compatibility impact == > Users can be affected by this change if they use a local policy with > file-context entries in /run which occurs quite rarely, but is > possible. > > > > == How To Test == > * Install a new system and check for error messages and audit records. > * Update an existing system and check if all updates completed without an > error. > * Optionally, install and boot the selinux-policy-mls package. > * Check for errors reported by dnf or rpm. > > > > == User Experience == > There should be no visible change for end users. > > The change should be transparent, without any further action needed on > the system. System admins may need to take an action based on > compatibility with the changes. > > > == Dependencies == > Components with a custom selinux policy: container-selinux pcp cockpit > > == Contingency Plan == > * Contingency mechanism: Revert all changes in case of serious > problems with updates. > * Contingency deadline: 2024-02-06 (Branch Fedora Linux 40 from Rawhide) > * Blocks release? No > * Blocks product? No > > == Documentation == > To be added later. > > == Release Notes == > > > > -- > Aoife Moloney > > Fedora Operations Architect > > Fedora Project > > Matrix: @amoloney:fedora.im > > IRC: amoloney > -- > _______________________________________________ > devel-announce mailing list -- devel-annou...@lists.fedoraproject.org > To unsubscribe send an email to > devel-announce-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue