Guideline for RPM packages

KaiGai Kohei kaigai at
Thu Jul 26 08:57:26 UTC 2007

>>> If I remember correctly, someone posted a guideline to make
>>> a RPM package which contains binary security policy, several
>>> weeks ago.
>>> If you know the URL, would you tell me the location?
>> There is a draft guide at:
> Thanks, so much!

I have a comment for the Policy Module Packaging Guideline.

The document says every *.pp files should be installed for any sort of policies
(targeted, strict, mls) in the %post section.
However, it can cause a problem when a part of policies are not installed yet.

When we try to install an application including policy package on the system
which has only targeted policy, installation of *.pp files for strict/mls will
be failed no need to say.
If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files
are not linked automatically because "/usr/bin/semodule -i" is not invoked.
It will cause a simple problem, but a bit difficult to find out.

I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link
orphan *.pp files on instllation of selinux-policy-* packages later, as follows:

  %triggerin -- selinux-policy-targeted
  if [ $0 -eq 1 ]; then
      /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || :
  %triggerin -- selinux-policy-strict
  if [ $0 -eq 1 ]; then
      /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || :
  %triggerin -- selinux-policy-mls
  if [ $0 -eq 1 ]; then
      /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || :

If the application is installed on the system which already has selinux-policy-strict,
"%triggerin -- selinux-policy-strict" will be invoked just when the application is
installed, so there is no degrading.

OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at>

More information about the fedora-selinux-list mailing list