From 112c4bc453ffee1276c9618f6e031aa0f6b1eca3 Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Fri, 20 Nov 2009 12:26:21 -0600 Subject: [PATCH] [bug556972-srivasta]: Explicitly allow /selinux and /sys as FHS exceptions 1) There are a lot of instances of programs looking things up in selinuxfs (indirectly through libselinux). Most of these instances look through /proc/mounts to discover where selinuxfs is mounted, and thus do not care about the actual location 2) sysvinit (and upstart, if the patch is accepted) load the security policy for machines where SELinux is enabled, and need to mount selinuxfs to get details of the state of selinux in the kernel. Since /proc is not around when this happens, this is the one place where the distribution default od the selinuxfs mount point is hard coded. 3) The default for fedora, gentoo, and Debian has been /selinux 4) Lots of people have also setup /etc/fstab to mount selinuxfs on /selinux 5) there are user scripts that assume they can look into /selinux on SELinux enabled machines, and this is a lot of things to change This patch explicitly allows /sys and /selinux as additional directories int he root file system allowed under the policy. Signed-off-by: Manoj Srivastava --- policy.sgml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/policy.sgml b/policy.sgml index 34a45d5..b8b97f4 100644 --- a/policy.sgml +++ b/policy.sgml @@ -5638,6 +5638,15 @@ libbar 1 bar1 (>= 1.0-1) symlinked there, is relaxed to a recommendation.

+ +

+ The following directories in the root filesystem are + additionally allowed: /sys and + /selinux. These directories + are used as mount points to mount virtual filesystems + to get access to kernel information. +

+

-- 2.39.5