FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-29-2011, 06:41 AM
Michał Piotrowski
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

W dniu 29 kwietnia 2011 04:09 użytkownik Jasper Boot
<jasper.boot@gmail.com> napisał:
> Hi,
> 2011/4/29 Michał Piotrowski <mkkp4x4@gmail.com>
>>
>> Hi,
>>
>> By the way, maybe it would be good to think about the meaning of /srv
>> existance? For seven years FHS requires that this directory exists
>> http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE16A
>> but "The methodology used to name subdirectories of /srv is
>> unspecified as there is currently no consensus on how this should be
>> done" - so even the authors of the standard did not have anything to
>> say about how this directory should be used. Is there a rational
>> reason for the existence of this directory besides FHS conformance?
>
>
> For years now I've been using /srv to contain the content for the various
> (world visible) services my machines run. Instead of having a mix of
> /var/www/ /home/apache /home/httpd/ /var/lib/mysql/ /var/named/ and other
> directories the different distributions come up with (usually somewhere in
> /var), I've standardized on /srv/www /srv/svn /srv/git/ /srv/mysql and
> /srv/dns for all machines and distros. Instead of just getting rid of such a
> useful directory I'd rather see an effort to come up with a beter
> standardization / description.
> Because /var already contains a lot of other variable/transient data, e.g.
> log, spool and temporary files, I like the fact that I can have another
> hierarchy for 'content' data instead of 'variable run/state' data. In /srv
> is the really important data I need to backup and restore; /var is just
> variable data that is needed in a running system, but isn't that essential
> and specific to my system. You could almost say that /srv is the system-wide
> /home in my case.

Ok, so it has some use. For the purpose that you described I use
"data" dir that is somewhere on other than / partition

$ ls /home/data/
backup mysql pgsql www

Probably I should use /srv for this, but this would mean that I need
yet another partition.

> --
> Regards,
> Jasper



--
Best regards,
Michal

http://eventhorizon.pl/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-29-2011, 11:14 PM
Michał Piotrowski
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

2011/4/30 Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/29/2011 06:56 PM, Lennart Poettering wrote:
>> On Fri, 29.04.11 00:37, Michał Piotrowski (mkkp4x4@gmail.com) wrote:
>>
>>> Hi,
>>>
>>> I think it's a very good decision - I never understood why selinux dir
>>> is directly under /.
>>
>> Yes, I think this would be a good thing to have in F16.
>>
>> Note however that this needs a tiny kernel patch to work, to create the
>> mount point under /sys/fs/selinux. This is a trivial patch and has been
>> done for /sys/fs/cgroup before, so I assume this would be easy to get
>> in and just needs a champion to push this forward.
>>
>>> By the way, maybe it would be good to think about the meaning of /srv
>>> existance? For seven years FHS requires that this directory exists
>>> http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE16A
>>> but "The methodology used to name subdirectories of /srv is
>>> unspecified as there is currently no consensus on how this should be
>>> done" - so even the authors of the standard did not have anything to
>>> say about how this directory should be used. Is there a rational
>>> reason for the existence of this directory besides FHS conformance?
>>
>> I think /srv actually makes a lot of sense. Probably not so much on the
>> desktop, but the boundaries are blurry, and I see no reason to set
>> things up differently in this respect between servers and desktops. I
>> see little benefit in removing this directory.
>>
>> Lennart
>>
> I think moving /selinux is *a bit more complicated then just a simple
> kernel change. *We have libselinux changes, Lots of tools have learned
> over the years the path of /selinux and lots of users know about it.
>
> I am willing to work towards the goal of moving /selinux, but I might
> end up with a symbolic link if we can not fix all of the problems.

What was the original intention of creating selinux directory directly
under / ? Was this file system created at a 2.4 times when sysfs
didn't existed yet?

>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk27RKUACgkQrlYvE4MpobOCoACgvLrAnXtzvx V7ztHP4aiGr8Df
> VZ4AnAnqTzUofp62+IHkc9WmTvh74sRE
> =NLi7
> -----END PGP SIGNATURE-----
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>



--
Best regards,
Michal

http://eventhorizon.pl/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-29-2011, 11:54 PM
Lennart Poettering
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Fri, 29.04.11 16:34, Greg KH (greg@kroah.com) wrote:

> > > I think it's a very good decision - I never understood why selinux dir
> > > is directly under /.
> >
> > Yes, I think this would be a good thing to have in F16.
> >
> > Note however that this needs a tiny kernel patch to work, to create the
> > mount point under /sys/fs/selinux. This is a trivial patch and has been
> > done for /sys/fs/cgroup before, so I assume this would be easy to get
> > in and just needs a champion to push this forward.
>
> As I did this for /sys/fs/cgroup I can do it for /sys/fs/selinux as
> well, just let me know.

I'd say "yes, please" to this, right-away.

But I guess this is up to Dan Walsh to say.

Dan, could you say "yes" to this, please? If so, then the first step to
making this happen for F16 would already have been taken!

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-30-2011, 12:54 AM
Lennart Poettering
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Fri, 29.04.11 17:46, Greg KH (greg@kroah.com) wrote:

> > > I think /srv actually makes a lot of sense. Probably not so much on the
> > > desktop, but the boundaries are blurry, and I see no reason to set
> > > things up differently in this respect between servers and desktops. I
> > > see little benefit in removing this directory.
> > >
> > > Lennart
> > >
> > I think moving /selinux is a bit more complicated then just a simple
> > kernel change. We have libselinux changes, Lots of tools have learned
> > over the years the path of /selinux and lots of users know about it.
> >
> > I am willing to work towards the goal of moving /selinux, but I might
> > end up with a symbolic link if we can not fix all of the problems.
>
> A symbolic link from /selinux to point at /sys/fs/selinux/ is a good
> idea to help people migrate. The startup tools should be able to create
> this if /sys/fs/selinux/ is not present, right?

This is not necessarily easy to do actually, since for upgraded systems
/selinux needs to be an actual directory in the rootfs to be useful as
mount points. At boot time the rootfs is read-only, hence removing the
dir then and turning it into a symlink is difficult.

However, we can use the same approach as we did for moving /var/run to
/run: on new installs create it as a symlink and on upgrades simply make
it a bind mount.

For the long run we could also add %post scripts to filesystem.rpm which
moves away the old /selinux, and recreates it as symlink. Unfortunately
that cannot be done completely atomic, but that property is not really
necessary here anyway I think.

So, yeah, it isn't super-pretty doing this move, but we can handle it
more or less exactly like the /var/run → /run move.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-30-2011, 04:44 PM
Kay Sievers
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Sat, Apr 30, 2011 at 02:54, Lennart Poettering <mzerqung@0pointer.de> wrote:
> On Fri, 29.04.11 17:46, Greg KH (greg@kroah.com) wrote:
>
>> > > I think /srv actually makes a lot of sense. Probably not so much on the
>> > > desktop, but the boundaries are blurry, and I see no reason to set
>> > > things up differently in this respect between servers and desktops. I
>> > > see little benefit in removing this directory.
>> > >
>> > I think moving /selinux is *a bit more complicated then just a simple
>> > kernel change. *We have libselinux changes, Lots of tools have learned
>> > over the years the path of /selinux and lots of users know about it.
>> >
>> > I am willing to work towards the goal of moving /selinux, but I might
>> > end up with a symbolic link if we can not fix all of the problems.
>>
>> A symbolic link from /selinux to point at /sys/fs/selinux/ is a good
>> idea to help people migrate. *The startup tools should be able to create
>> this if /sys/fs/selinux/ is not present, right?
>
> This is not necessarily easy to do actually, since for upgraded systems
> /selinux needs to be an actual directory in the rootfs to be useful as
> mount points. At boot time the rootfs is read-only, hence removing the
> dir then and turning it into a symlink is difficult.
>
> However, we can use the same approach as we did for moving /var/run to
> /run: on new installs create it as a symlink and on upgrades simply make
> it a bind mount.
>
> For the long run we could also add %post scripts to filesystem.rpm which
> moves away the old /selinux, and recreates it as symlink. Unfortunately
> that cannot be done completely atomic, but that property is not really
> necessary here anyway I think.
>
> So, yeah, it isn't super-pretty doing this move, but we can handle it
> more or less exactly like the /var/run → /run move.

Sounds all fine. I think we should get the kernel patch merged as soon
as possible. It will not harm anything if we don't use it now, and
continue to use /selinux as long as needed. But it will definitely
help solving the chicken egg problem when we are ready to do the
switch.

Kay
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 05-02-2011, 02:26 PM
Daniel J Walsh
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 07:54 PM, Lennart Poettering wrote:
> On Fri, 29.04.11 16:34, Greg KH (greg@kroah.com) wrote:
>
>>>> I think it's a very good decision - I never understood why selinux dir
>>>> is directly under /.
>>>
>>> Yes, I think this would be a good thing to have in F16.
>>>
>>> Note however that this needs a tiny kernel patch to work, to create the
>>> mount point under /sys/fs/selinux. This is a trivial patch and has been
>>> done for /sys/fs/cgroup before, so I assume this would be easy to get
>>> in and just needs a champion to push this forward.
>>
>> As I did this for /sys/fs/cgroup I can do it for /sys/fs/selinux as
>> well, just let me know.
>
> I'd say "yes, please" to this, right-away.
>
> But I guess this is up to Dan Walsh to say.
>
> Dan, could you say "yes" to this, please? If so, then the first step to
> making this happen for F16 would already have been taken!
>
> Lennart
>
Yes lets go forward with this. I will work on the libselinux patch. I
think we might want to hold off in F16 for a little while without the
link. So we can find apps that have hard coded /selinux/.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2+vy0ACgkQrlYvE4MpobMgwgCggCVquepMFP 4DiXf2+2ynYFI7
n/QAoNpk5ssRE/xgekb48b2ummtPiIno
=2ovb
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 05-02-2011, 04:09 PM
David Quigley
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Sat, 30 Apr 2011 18:44:13 +0200, Kay Sievers wrote:


On Sat, Apr 30, 2011 at 02:54, Lennart Poettering <mzerqung@0pointer.de> wrote:
On Fri, 29.04.11 17:46, Greg KH (greg@kroah.com) wrote:

I think /srv actually makes a lot of sense. Probably not so much on the
desktop, but the boundaries are blurry, and I see no reason to set
things up differently in this respect between servers and desktops. I
see little benefit in removing this directory.

I think moving /selinux is *a bit more complicated then just a simple
kernel change. *We have libselinux changes, Lots of tools have learned
over the years the path of /selinux and lots of users know about it.

I am willing to work towards the goal of moving /selinux, but I might
end up with a symbolic link if we can not fix all of the problems.

A symbolic link from /selinux to point at /sys/fs/selinux/ is a good
idea to help people migrate. *The startup tools should be able to create
this if /sys/fs/selinux/ is not present, right?

This is not necessarily easy to do actually, since for upgraded systems
/selinux needs to be an actual directory in the rootfs to be useful as
mount points. At boot time the rootfs is read-only, hence removing the
dir then and turning it into a symlink is difficult.

However, we can use the same approach as we did for moving /var/run to
/run: on new installs create it as a symlink and on upgrades simply make
it a bind mount.

For the long run we could also add %post scripts to filesystem.rpm which
moves away the old /selinux, and recreates it as symlink. Unfortunately
that cannot be done completely atomic, but that property is not really
necessary here anyway I think.

So, yeah, it isn't super-pretty doing this move, but we can handle it
more or less exactly like the /var/run → /run move.

Sounds all fine. I think we should get the kernel patch merged as soon
as possible. It will not harm anything if we don't use it now, and
continue to use /selinux as long as needed. But it will definitely
help solving the chicken egg problem when we are ready to do the
switch.

Kay


Resending since I sent from the wrong email address and devel rejected it.


Merging the kernel patch without doing the legwork for userspace first is a very bad idea. The kernel is what mounts the FS under /selinux so if you have it mount under /sys/fs/selinux instead without coordinating with the required usespace changes you'll have a completely broken system. I'd say let Dan handle when the right time to merge the kernel patch is since both him and the tresys people will have to be involved with releasing new versions of libselinux . Also Dan will have to work with some of the package maintainers to cleanup and fix their packages as well. I'd really not like it if I can't test new kernels with my labeled-nfs patches because we merged an ABI breaking change into mainline without making sure people can handle it first.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 05-02-2011, 05:29 PM
Lennart Poettering
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Mon, 02.05.11 12:09, David Quigley (selinux@davequigley.com) wrote:

> Merging the kernel patch without doing the
> legwork for userspace first is a very bad idea. The kernel is what
> mounts the FS under /selinux so if you have it mount under
> /sys/fs/selinux instead without coordinating with the required usespace
> changes you'll have a completely broken system. I'd say let Dan handle
> when the right time to merge the kernel patch is since both him and the
> tresys people will have to be involved with releasing new versions of
> libselinux . Also Dan will have to work with some of the package
> maintainers to cleanup and fix their packages as well. I'd really not
> like it if I can't test new kernels with my labeled-nfs patches because
> we merged an ABI breaking change into mainline without making sure
> people can handle it first.

No, userspace mounts the fs to /selinux.

If the kernel patch is merged (and it will, given that Dan okey'd it)
this wil just create an empty directory in /sys/fs/selinux suitable as
mount point. That's all. Whether this is actually used as mount point is
left to userspace.

Merging the kernel patch is pretty much risk-less. The transition to it
can happen at a later point, slowly, at a pace defined by Dan.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 05-02-2011, 05:51 PM
Stephen Smalley
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Mon, 2011-05-02 at 19:29 +0200, Lennart Poettering wrote:
> On Mon, 02.05.11 12:09, David Quigley (selinux@davequigley.com) wrote:
>
> > Merging the kernel patch without doing the
> > legwork for userspace first is a very bad idea. The kernel is what
> > mounts the FS under /selinux so if you have it mount under
> > /sys/fs/selinux instead without coordinating with the required usespace
> > changes you'll have a completely broken system. I'd say let Dan handle
> > when the right time to merge the kernel patch is since both him and the
> > tresys people will have to be involved with releasing new versions of
> > libselinux . Also Dan will have to work with some of the package
> > maintainers to cleanup and fix their packages as well. I'd really not
> > like it if I can't test new kernels with my labeled-nfs patches because
> > we merged an ABI breaking change into mainline without making sure
> > people can handle it first.
>
> No, userspace mounts the fs to /selinux.
>
> If the kernel patch is merged (and it will, given that Dan okey'd it)
> this wil just create an empty directory in /sys/fs/selinux suitable as
> mount point. That's all. Whether this is actually used as mount point is
> left to userspace.
>
> Merging the kernel patch is pretty much risk-less. The transition to it
> can happen at a later point, slowly, at a pace defined by Dan.

Yes, agreed. This does require updating various scripts that directly
reference /selinux though, including anaconda, dracut, puppet, etc. I'm
guessing that some of these direct references are due to scripts that
need to be able to run before /usr is mounted, so if we moved the
libselinux utils to /bin or /sbin, then the scripts could execute
selinuxenabled, getenforce, and setenforce without concern.

--
Stephen Smalley
National Security Agency

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 09:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org