Latest revision as of 16:13, 18 March 2024

Move /var/run selinux-policy entries to /run

Summary

Actual path for system runtime files moved from /var/run to /run some 10 years ago [1], but the policy has been managed since then in a way that keeps the old entries and have updates still with the incorrect path while the real path is handled by file equivalency feature. This can confuse sysadmins not to be sure which path should be actually used and can also effect in userspace tools not working properly [2].

[1] https://fedoraproject.org/wiki/Features/UsrMove

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2241366

Owner

Name: Zdenek Pytela
Email: zpytela@redhat.com

Current status

Targeted release: Fedora 40
Last updated: 2024-03-18
Announced
Discussion thread
FESCo issue: #3142
Tracker bug: #2258068
Release notes tracker: #1095

Detailed Description

The change actually means just replacing "/run = /var/run" file-context equivalency rules with "/var/run = /run". While the change as such is quite simple, it can have effect on other components using their own selinux policy with file-context entries.

Feedback

Benefit to Fedora

Removing technical debt which originated 10 years ago. More straightforward handling of file-context entries in the /run filesystem.

Scope

Proposal owners:
- Add all relevant patches to upstream repository
- Ensure the system boots with the targeted policy
- Ensure the system boots with the mls policy
- Ensure updates from older releases work, more specifically with custom selinux packages installed.

Other developers:
- Developers of custom selinux policies need to confirm system updates work.

Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)

Policies and guidelines: No update required.

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives:

Upgrade/compatibility impact

Users can be affected by this change if they use a local policy with file-context entries in /run which occurs quite rarely, but is possible.

How To Test

Install a new system and check for error messages and audit records.
Update an existing system and check if all updates completed without an error.
Optionally, install and boot the selinux-policy-mls package.
Check for errors reported by dnf or rpm.

User Experience

There should be no visible change for end users.

The change should be transparent, without any further action needed on the system. System admins may need to take an action based on compatibility with the changes.

Dependencies

Components with a custom selinux policy: container-selinux pcp cockpit

Contingency Plan

Contingency mechanism: Revert all changes in case of serious problems with updates.
Contingency deadline: 2024-02-06 (Branch Fedora Linux 40 from Rawhide)
Blocks release? No
Blocks product? No

Documentation

Overview

As a part of each selinux-policy package installation or update since selinux-policy-40.12-1, a conversion script is run to ensure file context entries exist for the /run top-level directory. This script creates a local SELinux policy module, local_varrun, which is re-created on each update. The script takes care of entries provided by packages with independent module (typically in the package-selinux subpackage) and local modules created by system admins. As soon as all independent modules are updated in Fedora repositories, calling the script from the rpm scriptlet will be removed by selinux-policy maintainers.

How it works

The script goes through SELinux file context entries in the policy installed on the system. For each file specification in /var/run which does not have an equivalent rule in /run, it creates a new rule in the local_varrun.cil file. This file is then loaded into the current active policy as the local_varrun SELinux policy module.

Possible issues and debugging

Admins who created their own local SELinux policy module need to apply the changes manually and replace all occurencies of /var/run with just /run in their .fc or .cil files. This should not be a frequent case unless e.g. a complex module was created to support a service which is not in Fedora.

In case of any outstanding problem, ensure that the latest selinux-policy packages are installed, run

/usr/libexec/selinux/varrun-convert.sh targeted
restorecon -Rv /run

and possibly restart failing services. If that does not help, please report a bug.

This script is expected to be run from an rpm scriptlet, so it is not verbose much by default. It can also be executed from cli, it takes the policy name as an argument. Debugging mode can be enabled with

DEBUG=yes /usr/libexec/selinux/varrun-convert.sh targeted

which increases the script's verbosity and stores some additional information in files in the /run/selinux-policy directory.

Release Notes

Release notes tracker: #1095

@@ Line 1: / Line 1: @@
-{{Change_Proposal_Banner}}
 = Move /var/run selinux-policy entries to /run =
@@ Line 31: / Line 29: @@
 == Current status ==
-[[Category:ChangePageIncomplete]]
+[[Category:ChangeAcceptedF40]]
 <!-- When your change proposal page is completed and ready for review and announcement -->
-<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
 <!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
 <!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
@@ Line 50: / Line 47: @@
 CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 -->
-* FESCo issue: <will be assigned by the Wrangler>
+* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/IXUA6AL7JANVQSH6T3XSRHCUUE764Z53/ Announced]
-* Tracker bug: <will be assigned by the Wrangler>
+* [https://discussion.fedoraproject.org/t/f40-change-proposal-move-var-run-selinux-policy-entries-to-run-self-contained/100171 Discussion thread]
-* Release notes tracker: <will be assigned by the Wrangler>
+* FESCo issue: [https://pagure.io/fesco/issue/3142 #3142]
+* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2258068 #2258068]
+* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/1095 #1095]
 == Detailed Description ==
@@ Line 122: / Line 121: @@
 == Upgrade/compatibility impact ==
 <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
-Users can be affected by this change if they use a local policy with file-context entries in /run.
+Users can be affected by this change if they use a local policy with file-context entries in /run which occurs quite rarely, but is possible.
 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
@@ Line 143: / Line 142: @@
 * Update an existing system and check if all updates completed without an error.
 * Optionally, install and boot the selinux-policy-mls package.
+* Check for errors reported by dnf or rpm.
+<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-N/A (not a System Wide Change)
 == User Experience ==
@@ Line 166: / Line 165: @@
 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-N/A (not a System Wide Change)
+Components with a custom selinux policy: container-selinux pcp cockpit
 == Contingency Plan ==
@@ Line 182: / Line 181: @@
 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-To be added later.
+=== Overview ===
+As a part of each selinux-policy package installation or update since selinux-policy-40.12-1, a conversion script is run to ensure file context entries exist for the /run top-level directory. This script creates a local SELinux policy module, `local_varrun`, which is re-created on each update. The script takes care of entries provided by packages with independent module (typically in the `package-selinux` subpackage) and local modules created by system admins. As soon as all independent modules are updated in Fedora repositories, calling the script from the rpm scriptlet will be removed by selinux-policy maintainers.
+=== How it works ===
+The script goes through SELinux file context entries in the policy installed on the system. For each file specification in /var/run which does not have an equivalent rule in /run, it creates a new rule in the `local_varrun.cil` file. This file is then loaded into the current active policy as the `local_varrun` SELinux policy module.
+=== Possible issues and debugging ===
+Admins who created their own local SELinux policy module need to apply the changes manually and replace all occurencies of /var/run with just /run in their .fc or .cil files. This should not be a frequent case unless e.g. a complex module was created to support a service which is not in Fedora.
+In case of any outstanding problem, ensure that the latest selinux-policy packages are installed, run
+<pre>
+/usr/libexec/selinux/varrun-convert.sh targeted
+restorecon -Rv /run
+</pre>
+and possibly restart failing services. If that does not help, please report a bug.
+This script is expected to be run from an rpm scriptlet, so it is not verbose much by default. It can also be executed from cli, it takes the policy name as an argument. Debugging mode can be enabled with
+<pre>
+DEBUG=yes /usr/libexec/selinux/varrun-convert.sh targeted
+</pre>
+which increases the script's verbosity and stores some additional information in files in the `/run/selinux-policy` directory.
 == Release Notes ==
@@ Line 190: / Line 210: @@
 Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.
 -->
+* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/1095 #1095]

Search

Changes/Move var run selinux policy entries to run: Difference between revisions