>>> If I remember correctly, someone posted a guideline to make >>> a RPM package which contains binary security policy, several >>> weeks ago. >>> >>> If you know the URL, would you tell me the location? >> There is a draft guide at: >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > Thanks, so much! I have a comment for the Policy Module Packaging Guideline. The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet. When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out. I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows: ---------------- %triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi ---------------- If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading. Thanks,

KaiGai Kohei wrote: >>>> If I remember correctly, someone posted a guideline to make >>>> a RPM package which contains binary security policy, several >>>> weeks ago. >>>> >>>> If you know the URL, would you tell me the location? >>> There is a draft guide at: >>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >> Thanks, so much! > I have a comment for the Policy Module Packaging Guideline. > > The document says every *.pp files should be installed for any sort of policies > (targeted, strict, mls) in the %post section. > However, it can cause a problem when a part of policies are not installed yet. > > When we try to install an application including policy package on the system > which has only targeted policy, installation of *.pp files for strict/mls will > be failed no need to say. > If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files > are not linked automatically because "/usr/bin/semodule -i" is not invoked. > It will cause a simple problem, but a bit difficult to find out. > > I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link > orphan *.pp files on instllation of selinux-policy-* packages later, as follows: > > ---------------- > %triggerin -- selinux-policy-targeted > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-strict > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-mls > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : > fi > ---------------- > > If the application is installed on the system which already has selinux-policy-strict, > "%triggerin -- selinux-policy-strict" will be invoked just when the application is > installed, so there is no degrading. Looks sane to me though it would be nice if there was some way of expressing this once rather than duplicate it for each policy type. Can't think of any way of doing that though.