[bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions
1) There are a lot of instances of programs looking things up in
selinuxfs (indirectly through libselinux). Most of these instances
look through /proc/mounts to discover where selinuxfs is mounted,
and thus do not care about the actual location
2) sysvinit (and upstart, if the patch is accepted) load the security
policy for machines where SELinux is enabled, and need to mount
selinuxfs to get details of the state of selinux in the
kernel. Since /proc is not around when this happens, this is the one
place where the distribution default od the selinuxfs mount point is
hard coded.
3) The default for fedora, gentoo, and Debian has been /selinux
4) Lots of people have also setup /etc/fstab to mount selinuxfs on
/selinux
5) there are user scripts that assume they can look into /selinux on
SELinux enabled machines, and this is a lot of things to change
This patch explicitly allows /sys and /selinux as additional
directories int he root file system allowed under the policy.
projects / debian / debian-policy.git / commit