From: russell@coker.com.au (Russell Coker)
Date: Sun, 5 Mar 2017 18:12:43 +1100
Subject: [refpolicy] [PATCH] /var/run -> /run
In-Reply-To: <20170305062103.GA27433@meriadoc.perfinion.com>
References: <20170305040208.uglbioys5g4k6j4m@athena.coker.com.au>
	<201703051536.08593.russell@coker.com.au>
	<20170305062103.GA27433@meriadoc.perfinion.com>
Message-ID: <201703051812.43089.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 5 Mar 2017 05:21:03 PM Jason Zaman via refpolicy wrote:
> > > This has to stay. It's for when other programs do stuff with /var/run.
> > > Otherwise the labels would be wrong.
> >
> > On Debian /var/run is a symlink to /run.  Are there any distributions
> > not  doing this?
> 
> Not that i know of currently, but old installs might still be setup like
> that?

Recent policies won't build on older versions of Debian, something about the 
build scripts depends on recent utilities.  I don't know if this is an 
upstream issue or Debian specific because I haven't cared enough to check it 
out.

My personal goal for compatibility is that things should work with a kernel or 
policy from a version of Debian earlier or later than the current version - 
but not with policy from a version earlier and kernel from a version later.  
But this isn't a hard goal and such cross version support isn't demanded.  I'm 
happy to tell users "edit your tmpfiles.d files if you want to use a 2017+ 
policy with Debian/Stretch".

SE Linux is tightly integrated into a Linux system, essential things like ls, 
cp, cron, sshd, and systemd link with SE Linux libraries.  Upgrading a SE 
Linux policy package drags in lots of dependencies, including versioned 
dependencies.  Upgrading a policy package while keeping any significant portion 
of the rest of the system 2 versions behind might be impossible and puts you 
at risk of breakage due to things like glibc and kernel inter-dependencies.  
Not to mention the fact that no-one tests such differences of versions so even 
if things theoretically should work they are likely to break due to not being 
tested.

Now someone could compile a recent policy on an older system.  But that's an 
expert level task (it's something I wouldn't do due to it taking too much 
effort and not providing enough benefit) and anyone who has the skills to 
complete that will be able to fix minor things like /var/run labelling.  They 
will certainly have much bigger problems along the way.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/