Re: [PATCH 1/1] restorecond: use /run instead of /var/run

From: Dominick Grift <dac.override@gmail.com>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Petr Lautrbach <plautrba@redhat.com>,
	selinux@vger.kernel.org, Laurent Bigonville <bigon@debian.org>
Subject: Re: [PATCH 1/1] restorecond: use /run instead of /var/run
Date: Wed, 27 Mar 2019 08:56:54 +0100	[thread overview]
Message-ID: <87k1gkn41l.fsf@gmail.com> (raw)
In-Reply-To: <CAJfZ7=kN1CUYGiePHoE_HYw9NVRWErTKuWyet35_EMEiChMqgQ@mail.gmail.com> (Nicolas Iooss's message of "Tue, 26 Mar 2019 22:33:53 +0100")

Nicolas Iooss <nicolas.iooss@m4x.org> writes:

> On Thu, Mar 21, 2019 at 1:08 PM Dominick Grift <dac.override@gmail.com> wrote:
>>
>> Petr Lautrbach <plautrba@redhat.com> writes:
>>
>> > Nicolas Iooss <nicolas.iooss@m4x.org> writes:
>> >
>> >> On most distributions, /var/run is a symbolic link to /run so using
>> >> /var/run or /run lead to the same result. Nevertheless systemd
>> >> started
>> >> to warn about using /var/run in a service file, logging entries such
>> >> as:
>> >>
>> >>     /usr/lib/systemd/system/restorecond.service:8: PIDFile=
>> >> references
>> >>     path below legacy directory /var/run/, updating
>> >>     /var/run/restorecond.pid → /run/restorecond.pid; please
>> >> update the
>> >>     unit file accordingly.
>> >>
>> >> Switch to /run in order to follow this advice.
>> >>
>> >> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>>
>> There are other occurances of "/var/run" tree-wide. Some more important
>> than others: cd selinux; grep -r "/var/run" .
>
> Are all distribution using /run instead of /var/run with a symlink
> from /var/run to /run? For me, it is all right to move a PID file,
> which is only shared between the service and the service manager, but
> moving files such as the Unix socket /var/run/setrans/.setrans-unix
> could cause issues on systems where /var/run and /run are different
> directories.

FHS still mentions /var/run, so i suppose from that perspective it
should be supported. but using /var/run can slow down boot time plus
lets say mcstrans would be socket activated, then we would need a fc spec
for /var/run or else systemd would create the socket with a wrong label
and then you get into a chicken and egg situation and we will still be
using /var/run in the next decade.

>
> Also, policycoreutils/scripts/fixfiles currently contains:
>
> find /var/run \( -context "*:${UNLABELED}*" -o -context
> "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/run
> {} \;
>
> This command does not do anything useful when /var/run is a symlink
> (either a slash needs to be added to the path, in order to use
> /var/run, or /run needs to be specified too). Right now I do not have
> much time to investigate how several distributions configure their
> /run and /var/run directories (I am writing a research paper related
> to Dell's iDRAC system, which appears to be using SELinux since its
> version 9). If nobody else does this, I plan doing this work in April.
>
> Thanks,
> Nicolas
>

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift