I read https://en.opensuse.org/Portal:SELinux/PackagingCustomPolicy. Are there some common practices for packages one wants to ship both an AppArmor profile and a custom SELinux policy module with?
Good question! We currently do not have many packages that ship both I think. From the top of my mind there forgejo [0] and passt [1], which do it differently. My personal preference would be the way that forgejo does it. That means, the custom SELinux modules should be in a subpackage called <package>-selinux and custom AppArmor profiles should be in a subpackage <package>-apparmor, e.g: <package>-apparmor <package>-selinux And in the main package, you can `Require` the subpackage depending if the main apparmor or selinux packages are installed on the system. For example like this (from forgejo spec file): Requires: (%{name}-apparmor if apparmor-abstractions) Requires: (%{name}-selinux if selinux-policy-targeted) However, I am also open to other ways and ideas to do it. Custom SELinux modules outside the main selinux-policy package have not been something really common so far and packages shipping both are even less common. Most of the SELinux modules are currently in our main selinux- policy [2] package. Hope that helps, let me know if not :D [0] https://build.opensuse.org/package/show/openSUSE:Factory/forgejo [1] https://build.opensuse.org/package/show/openSUSE:Factory/passt [2]https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy