[bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions

 1) There are a lot of instances of programs looking things up in
    selinuxfs (indirectly through libselinux). Most of these instances
    look through /proc/mounts to discover where selinuxfs is mounted,
    and thus do not care about the actual location
 2) sysvinit (and upstart, if the patch is accepted) load the security
    policy for machines where SELinux is enabled, and need to mount
    selinuxfs to get details of the state of selinux in the
    kernel. Since /proc is not around when this happens, this is the one
    place where the distribution default od the selinuxfs mount point is
    hard coded.
 3) The default for fedora, gentoo, and Debian has been /selinux
 4) Lots of people have also setup /etc/fstab to mount selinuxfs on
    /selinux
 5) there are user scripts that assume they can look into /selinux on
    SELinux enabled machines, and this is a lot of things to change

This patch explicitly allows /sys and /selinux as additional
directories int he root file system allowed under the policy.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>

diff --git a/policy.sgml b/policy.sgml
index 34a45d577b4dc22543c7c7a6b624ca22ad5eb507..b8b97f4bc551456e8029174f214af8be2b1d8b10 100644 (file)
--- a/policy.sgml
+++ b/policy.sgml
@@ -5638,6 +5638,15 @@ libbar 1 bar1 (>= 1.0-1)
                   symlinked there, is relaxed to a recommendation.
                 </p>
               </item>
+              <item>
+                <p>
+                  The following directories in the root filesystem are
+                  additionally allowed: <file>/sys</file> and
+                  <file>/selinux</file>. <footnote>These directories
+                  are used as mount points to mount virtual filesystems
+                  to get access to kernel information.</footnote>
+                </p>
+              </item>
             </enumlist>
 
           </p>