As the maintainer of forgejo, I would also love to know about how we should do this. I don't mind changing how I package forgejo. Was also debating about abolishing apparmor, as I am already on selinux, and "recently" noticed that the apparmor profile had a mistake in it, which made it unusable. But as nobody complained, I can almost assume that nobody uses it anyway. On 19/07/2024 17:39, Cathy Hu wrote:
I read https://en.opensuse.org/Portal:SELinux/PackagingCustomPolicy. Are there some common practices for packages one wants to ship both an AppArmor profile and a custom SELinux policy module with?
Good question! We currently do not have many packages that ship both I think. From the top of my mind there forgejo [0] and passt [1], which do it differently.
My personal preference would be the way that forgejo does it. That means, the custom SELinux modules should be in a subpackage called <package>-selinux and custom AppArmor profiles should be in a subpackage <package>-apparmor, e.g:
<package>-apparmor <package>-selinux
And in the main package, you can `Require` the subpackage depending if the main apparmor or selinux packages are installed on the system.
For example like this (from forgejo spec file): Requires: (%{name}-apparmor if apparmor-abstractions) Requires: (%{name}-selinux if selinux-policy-targeted)
However, I am also open to other ways and ideas to do it. Custom SELinux modules outside the main selinux-policy package have not been something really common so far and packages shipping both are even less common. Most of the SELinux modules are currently in our main selinux- policy [2] package.
Hope that helps, let me know if not :D
[0] https://build.opensuse.org/package/show/openSUSE:Factory/forgejo [1] https://build.opensuse.org/package/show/openSUSE:Factory/passt [2]https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy