Directories for policy module packages

Daniel J Walsh dwalsh at redhat.com
Tue Jul 25 16:04:20 UTC 2006 

Paul Howarth wrote:
> Christopher J. PeBenito wrote:
>> On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
>>> Now that RPM packages are starting to include policy module packages 
>>> (my mod_fcgid package was approved for Extras recently: 
>>> http://bugzilla.redhat.com/195666), it would be nice to have a 
>>> standard place for the .pp files to be dropped, and for that 
>>> directory to be owned by the selinux-policy package (so that all the 
>>> packages don't need to own it themselves).
>>>
>>> I propose the following:
>>>
>>> /usr/share/selinux/packages
>>> (container directory, separate from modules bundled with Core package)
>>>
>>> /usr/share/selinux/packages/mls
>>> (policy modules for use with the mls base policy)
>>>
>>> /usr/share/selinux/packages/strict
>>> (policy modules for use with the strict base policy)
>>>
>>> /usr/share/selinux/packages/targeted
>>> (policy modules for use with the targeted base policy)
>>>
>>> /usr/share/selinux/packages/share
>>> (policy modules that have no base-specific elements, and can be used 
>>> with all base policies)
>>
I think this is a good idea.
>> There already is a standard location:
>>
>> /usr/share/selinux/NAME/
>>
Currently the selinux-policy-TYPE package looks in this directory and 
installs all the pp files that are in this directory.
It should probably change to only install  the pp files that it is 
packaging.  This is a management headache because we
don't need to manage this now.  If someone has a good solution to 
figuring out the pp files during the spec build this would be
great.  Trying to update the modules-TYPE.conf file and maintaining the 
spec file in sync would be a royal pain. 
>> where NAME is targeted, strict, mls, etc.
>
> I asked about this before and it was suggested that 
> /usr/share/selinux/NAME would best be avoided because Core/base 
> packages would install modules there and there might be name 
> comflicts. I'm not convinced by that argument myself, but:
>
>  * /usr/share/selinux/NAME/ is owned by selinux-policy-NAME; since 
> most systems will have only targeted policy installed, this is an 
> issue for packages wanting to include modules built for all base 
> policies, which will have no directories to install strict/mls modules 
> to. There is also no /usr/share/selinux/share directory to install 
> policy module packages common to all base policies.
>
> I think wherever the directory is, it needs to be owned by the 
> selinux-policy package itself and not the subpackages.
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list