[DSE-Dev] Question regarding shipping a SELinux Policy in Package

[Paul Tagliamonte]

> I think there aren't docs about how to ship SELinux policies with
> application packages, because that's not the way it's done.
> There are several reasons:
> * The package shipped policy module might not compile/load on the
> system, cause the system policy can use different types/attributes
> etc.
> * The system administrator might not want to install policy modules
> shipped by applications, because of
> trust/compatibility/maintainability/integrity.
> * The shipped policy module might not fit everyone's needs: for one it
> might be too permissive, for the next to restricted

I see. That makes some amount of sense!

> You can try to introduce a policy for your package into the official
> upstream Reference Policy [1], which is the base for the Debian
> policy.

Hurm, ok! That also sounds sensible. It also sounds very heavy-weight.

> (If necessary you could ship the SELinux policy source files under
> /usr/share/my_package/selinux/ and hint users at it.)

Ah, this is a great idea! I wasn't sure if there was some system that
would allow for loading of SELinux modules automatically (not unlike
how vim does configuration -- if you're using the system config, the
system module loading can handle it, otherwise you have your own setup,
I didn't know if SELinux made the same assumption about "targeted" and
"mls" being "from the distro" and therefore trust all distro packages to provide
sensible policy) It does sound like like that is expressly not supported by
design -- which, fair enough!

> Best regards,
>       Christian Göttsche
>
> [1]: https://github.com/SELinuxProject/refpolicy
>
>
> p.s.: IRC is available at #selinux on Freenode

Ah yes, I joined that last night after sending this mail - wasn't sure if
Debian-specific questions were appropriate there. Are they? I assumed
this was a packaging related question, because I did not understand
our relation to the upstream policy.

Thank you very much!
  paultag


-- 
:wq