SELinux Module Packaging in FC5

Tue May 16 14:08:49 UTC 2006

Stephen Smalley wrote:
> On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
>> Is there any documentation anywhere on including SELinux Policy Modules 
>> in packages (e.g. for Extras) in FC5? For instance, is there a directory 
>> where modules can be dropped into so that they get picked up 
>> aotomatically? Where should they live?
> 
> Yes, this would be useful to document in the Fedora SELinux wiki.
> Ideally, policy for a given software package should live in its own
> package on which the software package depends so that the package
> manager will install (and thus load) the policy before it tries to
> unpack the software package (thereby ensuring that any necessary file
> types are already defined in the kernel policy), e.g. package foo would
> depend on foo-policy.  Not certain where the foo-policy package should
> drop its policy module, possibly under /usr/share/selinux/foo, and then
> it can install it by running semodule -i from its %post scriptlet.

I've tried this and it doesn't quite work as I expected.

I have a main package "contagged" and a subpackage "contagged-policy".

The "contagged" packages has:

Requires:       contagged-policy = %{version}-%{release}
Requires(pre):  contagged-policy = %{version}-%{release}

This ensures that the policy package is installed before the main 
package, and hangs around as long as the main package itself.

The policy package dumps policy in 
%{_datadir}/selinux/packages/contagged and uses scriptlets to handle 
module insertion and removal:

%post policy
[ -x /usr/sbin/semodule ] && /usr/sbin/semodule -i 
%{_datadir}/selinux/packages/contagged/contagged.pp || :

%postun policy
[ $1 -eq 0 ] && [ -x /usr/sbin/semodule ] && /usr/sbin/semodule -r 
contagged || :

The only thing the policy module is actually doing is specifying a file 
context in contagged.fc:

/var/cache/contagged(/.*)? 
gen_context(system_u:object_r:httpd_cache_t,s0)

If contagged-policy is installed first, and then the contagged package 
is installed (separate rpm transactions), the file contexts get set up 
as expected. However, if both are done in the same RPM transaction, the 
packages get installed in the right order (and there is a noticeable 
delay after installing the policy subpackage where semodule is being 
called) but the context for directory /var/cache/contagged is left as 
system_u:object_r:var_t. I suspect that the reason for this is that rpm 
installs the files for all packages in the transaction and sets their 
file contexts before running (presumably in order) the %post scripts for 
the packages.

This rather defeats the purpose of having the separate -policy package, 
since I need to use restorecon to fix the file contexts at post-install 
time in case both packages are installed in the same transaction (a 
likely scenario). I could do this equally well using a single package, 
but it's untidy (I have to specify the pathnames that need non-standard 
contexts in both the .fc policy file and as an argument to restorecon in 
%post). I really prefer the separate package solution, but I think that 
would need changes in rpm, which might be hard to get done.

Any thoughts?

Paul.