[HEADS-UP] Moving /var/run and /var/lock to tmpfs in Rawhide

Daniel J Walsh dwalsh at redhat.com
Tue Nov 30 14:26:02 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2010 04:56 AM, Paul Howarth wrote:
> On 30/11/10 08:38, Toshio Kuratomi wrote:
>> On Tue, Nov 30, 2010 at 03:11:43AM -0500, Akira TAGOH wrote:
>>> | 2) The act of installing the rpm should create the necessary directories.
>>> | Alternately, the program (or as you say, the init script) can create the
>>> | necessary directories.  Note that I don't believe that systemd gives you the
>>> | flexibility to do that sort of thing (there's no "script" in its init stuff)
>>> | so you'd need a wrapper script for the program itself or write a patch to
>>> | the program itself to achieve this where the program doesn't create the
>>> | directory already and if we don't do this from within the rpm payload.
>>>
>>> To get this working on SELinux, are we presuming that restorecond is running on the system or does the package maintainer need to take care of running restorecon manually in the script or the program?
>>>
>> I thought lennart mentioned something about selinux and tmpfiles.d defined
>> directories but I could be misremembering.
> 
> Files/directories created as a result of tmpfiles.d entries will have 
> the correct SELinux contexts.
> 
> Files/directories created by an initscript will probably need to have 
> restorecon run on them to set the correct context (which of course can 
> be done in the initscript).
> 
> Files/directories created at startup by a daemon may or may not have the 
> correct SELinux contexts depending on whether the necessary transition 
> rules are in the policy. If they're not set correctly, it would be a 
> good idea to raise a bug on selinux-policy to address that.
> 
> Paul.

Yes As we see them we are fixing them.  setroubleshoot had a fix go in
yesterday, one to create the directory if it does not exist and secondly
selinux policy was modified to create the directrory with the correct
context.  I is usually better to have the daemon create the directory
then to rely on tmpfiles.d to create it, and then we can have SELinux do
the right thing.

I think we should not ghost the directories in the spec file but allow
rpm to create them with the correct context,  as long as rpm -qV works
correctly when the directory is recreated.  If we have to ghost the
directories and people create the directories in the post install, they
will need to run restorecon on the directory

mkdir /var/run/FOOBAR
restorecon /var/run/FOOBAR


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1CXoACgkQrlYvE4MpobNNmACgisyDwIbbYt9BbNAiJR/owSEM
dhEAnjIgAND6XaDiWI47+tb+f/YVZAXJ
=pMkT
-----END PGP SIGNATURE-----

More information about the devel mailing list