Now I am genuinely surprised. Packages are not allowed to install systemd unit presets, packages are now allowed to install polkit rules, packages are not allowed to install custom /etc/permissions, but packages are allowed to install custom MAC profiles?
I was sure that any AppArmor/SELinux changes must go in via the single package after security review. Am I wrong?
Currently this is not the case for custom SELinux modules, but you are right, thanks for pointing that out. As MAC is an additional layer of security, it is not as detrimental as a package shipping with issues in their polkit rules/pam/systemd unit presets/.. or the other stuff that is monitored, which could lead to privilege escalation immediately. However, I agree that custom SELinux modules should be monitored. I will talk to the other people in the security team if we can get this into rpmlint or some other monitoring and perform reviews on submissions. I will create a wiki page on submission guidelines / review process when I know more. Thanks a lot for the pointer :) -- Cathy Hu <cahu@suse.de> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)