Directories for policy module packages

[Paul Howarth]

Christopher J. PeBenito wrote:
> On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
>> Now that RPM packages are starting to include policy module packages (my 
>> mod_fcgid package was approved for Extras recently: 
>> http://bugzilla.redhat.com/195666), it would be nice to have a standard 
>> place for the .pp files to be dropped, and for that directory to be 
>> owned by the selinux-policy package (so that all the packages don't need 
>> to own it themselves).
>>
>> I propose the following:
>>
>> /usr/share/selinux/packages
>> (container directory, separate from modules bundled with Core package)
>>
>> /usr/share/selinux/packages/mls
>> (policy modules for use with the mls base policy)
>>
>> /usr/share/selinux/packages/strict
>> (policy modules for use with the strict base policy)
>>
>> /usr/share/selinux/packages/targeted
>> (policy modules for use with the targeted base policy)
>>
>> /usr/share/selinux/packages/share
>> (policy modules that have no base-specific elements, and can be used 
>> with all base policies)
> 
> There already is a standard location:
> 
> /usr/share/selinux/NAME/
> 
> where NAME is targeted, strict, mls, etc.

I asked about this before and it was suggested that 
/usr/share/selinux/NAME would best be avoided because Core/base packages 
would install modules there and there might be name comflicts. I'm not 
convinced by that argument myself, but:

  * /usr/share/selinux/NAME/ is owned by selinux-policy-NAME; since most 
systems will have only targeted policy installed, this is an issue for 
packages wanting to include modules built for all base policies, which 
will have no directories to install strict/mls modules to. There is also 
no /usr/share/selinux/share directory to install policy module packages 
common to all base policies.

I think wherever the directory is, it needs to be owned by the 
selinux-policy package itself and not the subpackages.

Paul.