SELinux Module Packaging in FC5

Stephen Smalley sds at tycho.nsa.gov
Tue Mar 14 12:58:43 UTC 2006 

On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
> Is there any documentation anywhere on including SELinux Policy Modules 
> in packages (e.g. for Extras) in FC5? For instance, is there a directory 
> where modules can be dropped into so that they get picked up 
> aotomatically? Where should they live?

Yes, this would be useful to document in the Fedora SELinux wiki.
Ideally, policy for a given software package should live in its own
package on which the software package depends so that the package
manager will install (and thus load) the policy before it tries to
unpack the software package (thereby ensuring that any necessary file
types are already defined in the kernel policy), e.g. package foo would
depend on foo-policy.  Not certain where the foo-policy package should
drop its policy module, possibly under /usr/share/selinux/foo, and then
it can install it by running semodule -i from its %post scriptlet.

> Consider an example. I have an LDAP-backed addressbook frontend written 
> in PHP that runs on apache. So I install the files in /var/www/someplace 
> in my package and I need to provide an SELinux module that:
> 
> * Includes the appropriate file contexts for the application's cache 
> directory, which needs to be writable by httpd
> * Gives httpd permission to contact LDAP servers over the network (i.e. 
> ports 389 and 636)
> 
> Is it possible to turn on the httpd_builtin_scripting boolean from a 
> module (the app is written in PHP and needs this)? Is it even sensible 
> to try to do this, or there just be a README.SELinux telling people they 
> need to do this themselves?

Not sure if enabling the boolean is the right model there vs. "calling"
an interface from your module to enable those rules unconditionally when
your module is loaded, because you want the behavior reverted if/when
your module is removed but other modules might likewise want the same
rules or the admin may have a local customization already.  The
foo-policy package could certainly call setsebool -P from %post, but I
doubt that is the right approach.

> Should the module be loaded in a %post script?

Yes, but ideally from a foo-policy package on which foo depends, so that
it is loaded before unpacking foo (so that the file contexts can be set
down properly).

> Some guidelines would no doubt be appreciated by many people.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list