[Rpm-maint] [RFC] Packaging SELinux Policy in RPMs

Steve Lawrence slawrence at tresys.com
Wed Apr 14 17:30:58 UTC 2010

On Fri, 2010-04-09 at 10:40 -0400, James Antill wrote:
> On Thu, 2010-04-01 at 16:45 -0400, Steve Lawrence wrote:


It seems like you are in favor of bundling all policy into a single
policy package, adding that as a requirement, and always installing it.
This is certainly the easiest and least intrusive solution, though we're
still not convinced it is the best long-term solution. That said, we're
happy to move forward with it if you see it as the best option. Before
the decision is made though, we want to make sure the consequences are

Installing SELinux Policy and Infrastructure Becomes a Requirement

  Right now, SELinux policy and the infrastructure (e.g. libsemanage,
  policycoreutils) does not need to be installed. With this change
  though, it becomes a requirement. For example, apache.rpm will require
  apache-policy, and apache-policy will require selinux-policy, which
  requires policycoreutils and libsemanage. So if you want apache, then
  selinux-policy and the entire SELinux infrastructure will be required
  and installed. While this may not be a big deal, it is a very
  different behavior that some might not expect, especially since the
  apache modules may not even be installed even though apache-policy.rpm

Obsoleting/Customizing Modules is Difficult

  You give the example that you can just update the packages and add
  conflicts with the previous versions. I agree, for RH, this is a
  simple solution. However, if you aren't RH, this isn't easy. You would
  need to create your own version of the packages with your changes, and
  then watch for any changes to those packages from RH. This is alot of
  work when all you may want to package is an updated type or module.

Policy Type Switching is Still A Problem 

  When we install policy packages, we would check to see if the modules
  from that package should actually be installed. For example, if only
  targeted policy is installed, we can't install the mls apache module
  (even though apache-policy.rpm is installed). However, if we want to
  switch to an mls policy after apache-policy.rpm has already been
  installed, we need to detect that and install the mls apache
  module. This would likely need to be performed by a separate tool.

  Unless you are saying we should install all policy types all the time.
  In this case, all you need to do to switch types is edit
  /etc/selinux/config. However, actually installing all policy types
  (not just the rpms) all the time is going to increase the rpm transaction
  time, since there would be a separate semodule call per type, which is
  very slow.

More information about the Rpm-maint mailing list