From: jason@perfinion.com (Jason Zaman) Date: Thu, 26 Jan 2017 15:44:59 +0800 Subject: [refpolicy] [PATCH] usrmerge In-Reply-To: References: <20170110073005.zagcy5zo3dus3bgn@athena.coker.com.au> Message-ID: <20170126074459.GA18257@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com [[ I originally didnt remove the patch so the email was too long and the list bounced it, resending ]] On Sun, Jan 15, 2017 at 01:02:25PM -0500, Chris PeBenito wrote: > On 01/10/17 02:30, Russell Coker via refpolicy wrote: > > The following patch supports making /sbin, /lib*, and /bin symlinks to the > > same named directories under /usr. This change is accomplished in Debian by > > installing the "usrmerge" package and is apparently the default in Fedora. > > > > These changes have been tested in Debian and found to give the same labelling > > as the policy without this patch in almost all cases. The exceptions were > > files where the .fc files in question used one of /bin or /usr/bin that didn't > > match what was done in Debian. The small number of changes to the policy > > caused by this patch FIXED outstanding bugs. > > > > I expect that this won't give any changes to Fedora and it might fix some bugs > > for Gentoo and SUSE. > > > > What it does is remove all duplicates in /bin and /usr/bin etc and uses a > > subs_dist change to make the /usr change not affect policy. > > I don't have a problem with merging this patch; however, I will delay it > at least until after the next release (which is in a few weeks or so). > I'd also like to hear from Gentoo people on any impacts this may have. Sorry its taken so long, I've been busy lately. I will test it on my machine soon and get back to you hopefully on the weekend so I get some testing in. Also Nicolas Iooss did some work recently and has a script that goes through to verify that everything in /bin has an equivalent in /usr/bin. going this subs_dist route would make the fcontexts smaller tho which is a plus and less confusion. I just need to be a bit extra careful since gentoo is rolling but I dont forsee any issues. -- Jason