F40 proposal: Move /var/run selinux policy entries to /run (System-Wide)

Project Discussion Change Proposals
,
1

Move /var/run selinux-policy entries to /run

Wiki
Announced

:link: Summary

Actual path for system runtime files moved from /var/run to /run some 10 years ago [1], but the policy has been managed since then in a way that keeps the old entries and have updates still with the incorrect path while the real path is handled by file equivalency feature. This can confuse sysadmins not to be sure which path should be actually used and can also effect in userspace tools not working properly [2].

[1] Features/UsrMove - Fedora Project Wiki

[2] 2241366 – Restorecon not working correctly

:link: Owner

:link: Current status

  • Targeted release: Fedora 40
  • Last updated: 2023-12-20
  • FESCo issue:
  • Tracker bug:
  • Release notes tracker:

:link: Detailed Description

The change actually means just replacing “/run = /var/run” file-context equivalency rules with “/var/run = /run”. While the change as such is quite simple, it can have effect on other components using their own selinux policy with file-context entries.

:link: Feedback

:link: Benefit to Fedora

Removing technical debt which originated 10 years ago. More straightforward handling of file-context entries in the /run filesystem.

:link: Scope

  • Proposal owners:

    • Add all relevant patches to upstream repository
    • Ensure the system boots with the targeted policy
    • Ensure the system boots with the mls policy
    • Ensure updates from older releases work, more specifically with custom selinux packages installed.

  • Other developers:

    • Developers of custom selinux policies need to confirm system updates work.

  • Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)

  • Policies and guidelines: No update required.

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Objectives:

:link: Upgrade/compatibility impact

Users can be affected by this change if they use a local policy with file-context entries in /run.

:link: How To Test

  • Install a new system and check for error messages and audit records.
  • Update an existing system and check if all updates completed without an error.
  • Optionally, install and boot the selinux-policy-mls package.

N/A (not a System Wide Change)

:link: User Experience

There should be no visible change for end users.

The change should be transparent, without any further action needed on the system. System admins may need to take an action based on compatibility with the changes.

:link: Dependencies

N/A (not a System Wide Change)

:link: Contingency Plan

  • Contingency mechanism: Revert all changes in case of serious problems with updates.
  • Contingency deadline: 2024-02-06 (Branch Fedora Linux 40 from Rawhide)
  • Blocks release? No
  • Blocks product? No

:link: Documentation

To be added later.

:link: Release Notes

2

A post was merged into an existing topic: F40 Change Proposal: Move /var/run selinux-policy entries to /run (Self-Contained)

3

@zpytela Is this a duplicate of F40 Change Proposal: Move /var/run selinux-policy entries to /run (Self-Contained) so that we can close this one? So, in terms of this system-wide one is being obsoleted by the self-contained one? If so, this one might be closed with a link to the successor to avoid confusion.

(Btw, the naming of this topic does not follow the naming convention of the other F40 proposals and might be accidentally filtered in search queries: “F40 proposal” → “F40 Change Proposal”)

4

@py0xc3 Yes, it is a duplicate, I am sorry for that.

5

No worries. In this case I just wanted to suggest to close this one to avoid confusion and thus to focus discussions and attention in the other one :wink:

7

The proposal and discussion is moved to F40 Change Proposal: Move /var/run selinux-policy entries to /run (Self-Contained)