[DSE-Dev] Question regarding shipping a SELinux Policy in Package

Christian Göttsche cgzones at googlemail.com
Thu May 14 16:56:47 BST 2020


Am Mi., 13. Mai 2020 um 16:45 Uhr schrieb Paul Tagliamonte <paultag at debian.org>:
>
> Hello, SELinux folks,
>
> Does anyone on this list have a pointer todocs on how packages should ship SELinux policies in application packages for SELinux enabled systems? If not, is there a good IRC channel to ask in, or mailing list to ask if this is the wrong one?
>
> Thanks!
>   paultag

I think there aren't docs about how to ship SELinux policies with
application packages, because that's not the way it's done.
There are several reasons:
* The package shipped policy module might not compile/load on the
system, cause the system policy can use different types/attributes
etc.
* The system administrator might not want to install policy modules
shipped by applications, because of
trust/compatibility/maintainability/integrity.
* The shipped policy module might not fit everyone's needs: for one it
might be too permissive, for the next to restricted

You can try to introduce a policy for your package into the official
upstream Reference Policy [1], which is the base for the Debian
policy.
(If necessary you could ship the SELinux policy source files under
/usr/share/my_package/selinux/ and hint users at it.)

Best regards,
      Christian Göttsche

[1]: https://github.com/SELinuxProject/refpolicy


p.s.: IRC is available at #selinux on Freenode



More information about the SELinux-devel mailing list