On 19.07.2024 18:39, Cathy Hu wrote:
I read https://en.opensuse.org/Portal:SELinux/PackagingCustomPolicy. Are there some common practices for packages one wants to ship both an AppArmor profile and a custom SELinux policy module with?
Good question! We currently do not have many packages that ship both I think. From the top of my mind there forgejo [0] and passt [1], which do it differently.
My personal preference would be the way that forgejo does it. That means, the custom SELinux modules should be in a subpackage called <package>-selinux and custom AppArmor profiles should be in a subpackage <package>-apparmor, e.g:
<package>-apparmor <package>-selinux
Now I am genuinely surprised. Packages are not allowed to install systemd unit presets, packages are now allowed to install polkit rules, packages are not allowed to install custom /etc/permissions, but packages are allowed to install custom MAC profiles? I was sure that any AppArmor/SELinux changes must go in via the single package after security review. Am I wrong?
And in the main package, you can `Require` the subpackage depending if the main apparmor or selinux packages are installed on the system.
For example like this (from forgejo spec file): Requires: (%{name}-apparmor if apparmor-abstractions) Requires: (%{name}-selinux if selinux-policy-targeted)
However, I am also open to other ways and ideas to do it. Custom SELinux modules outside the main selinux-policy package have not been something really common so far and packages shipping both are even less common. Most of the SELinux modules are currently in our main selinux- policy [2] package.
Hope that helps, let me know if not :D
[0] https://build.opensuse.org/package/show/openSUSE:Factory/forgejo [1] https://build.opensuse.org/package/show/openSUSE:Factory/passt [2]https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy