From: russell@coker.com.au (Russell Coker) Date: Sun, 5 Mar 2017 18:12:43 +1100 Subject: [refpolicy] [PATCH] /var/run -> /run In-Reply-To: <20170305062103.GA27433@meriadoc.perfinion.com> References: <20170305040208.uglbioys5g4k6j4m@athena.coker.com.au> <201703051536.08593.russell@coker.com.au> <20170305062103.GA27433@meriadoc.perfinion.com> Message-ID: <201703051812.43089.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 5 Mar 2017 05:21:03 PM Jason Zaman via refpolicy wrote: > > > This has to stay. It's for when other programs do stuff with /var/run. > > > Otherwise the labels would be wrong. > > > > On Debian /var/run is a symlink to /run. Are there any distributions > > not doing this? > > Not that i know of currently, but old installs might still be setup like > that? Recent policies won't build on older versions of Debian, something about the build scripts depends on recent utilities. I don't know if this is an upstream issue or Debian specific because I haven't cared enough to check it out. My personal goal for compatibility is that things should work with a kernel or policy from a version of Debian earlier or later than the current version - but not with policy from a version earlier and kernel from a version later. But this isn't a hard goal and such cross version support isn't demanded. I'm happy to tell users "edit your tmpfiles.d files if you want to use a 2017+ policy with Debian/Stretch". SE Linux is tightly integrated into a Linux system, essential things like ls, cp, cron, sshd, and systemd link with SE Linux libraries. Upgrading a SE Linux policy package drags in lots of dependencies, including versioned dependencies. Upgrading a policy package while keeping any significant portion of the rest of the system 2 versions behind might be impossible and puts you at risk of breakage due to things like glibc and kernel inter-dependencies. Not to mention the fact that no-one tests such differences of versions so even if things theoretically should work they are likely to break due to not being tested. Now someone could compile a recent policy on an older system. But that's an expert level task (it's something I wouldn't do due to it taking too much effort and not providing enough benefit) and anyone who has the skills to complete that will be able to fix minor things like /var/run labelling. They will certainly have much bigger problems along the way. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/