Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions

To: debian-policy@lists.debian.org
Cc: Kees Cook <kees@debian.org>, 556972-quiet@bugs.debian.org
Subject: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
From: Manoj Srivastava <srivasta@debian.org>
Date: Sat, 21 Nov 2009 16:16:37 -0600
Message-id: <87y6lzfrqy.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-policy@lists.debian.org, Kees Cook <kees@debian.org>, 556972-quiet@bugs.debian.org
In-reply-to: <20091121092557.GV5129@outflux.net> (Kees Cook's message of "Sat, 21 Nov 2009 01:25:57 -0800")
References: <1258742030-25355-1-git-send-email-srivasta@debian.org> <20091121092557.GV5129@outflux.net>

On Sat, Nov 21 2009, Kees Cook wrote:

> Hi,
>
> On Fri, Nov 20, 2009 at 12:33:50PM -0600, Manoj Srivastava wrote:
>>         The report #556972 was filed about a FHS violation in mounting
>>  selinuxfs on /selinux, which is accurate. Additionally, /sys does not
>>  appear in the FHS either, and is thus in a similar situation.
>>
>>         Now, I can move the mount point in libselinux1, perhals to
>>  /lib/sellinux, but that would make us incompatible with other
>>  installations, and cause a large number of needless conflict with
>>  currently installed SELinux. Here is the backgound:
>
> Do the userspace tools use /selinux unconditionally or do they examine
> /proc/mounts?  I'm not familiar with that portion of SELinux.

        Most userspace tools use libselinux to look at things in
 selinuxfs, and there is only on place where /selinux is hardcoded (and
 only as a fallback if /proc/mounts is not available or does not know
 about selinuxfs). Everything else will examine /proc/mounts.

        manoj

-- 
Join the army, see the world, meet interesting, exciting people, and
kill them.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

References:
- [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
  - From: Kees Cook <kees@debian.org>

Prev by Date: Re: [PATCH 1/1] Use the "Failed-Config" state instead of the synonymous halfconfigured
Next by Date: Üç ayda İngilizce konuşmak istiyor musunuz?
Previous by thread: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
Next by thread: Re: [PATCH 1/1] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
Index(es):
- Date
- Thread