Re: [DSE-Dev] Question regarding shipping a SELinux Policy in Package

[Christian Göttsche]

Am Mi., 13. Mai 2020 um 16:45 Uhr schrieb Paul Tagliamonte :
>
> Hello, SELinux folks,
>
> Does anyone on this list have a pointer todocs on how packages should ship 
> SELinux policies in application packages for SELinux enabled systems? If not, 
> is there a good IRC channel to ask in, or mailing list to ask if this is the 
> wrong one?
>
> Thanks!
>   paultag

I think there aren't docs about how to ship SELinux policies with
application packages, because that's not the way it's done.
There are several reasons:
* The package shipped policy module might not compile/load on the
system, cause the system policy can use different types/attributes
etc.
* The system administrator might not want to install policy modules
shipped by applications, because of
trust/compatibility/maintainability/integrity.
* The shipped policy module might not fit everyone's needs: for one it
might be too permissive, for the next to restricted

You can try to introduce a policy for your package into the official
upstream Reference Policy [1], which is the base for the Debian
policy.
(If necessary you could ship the SELinux policy source files under
/usr/share/my_package/selinux/ and hint users at it.)

Best regards,
  Christian Göttsche

[1]: https://github.com/SELinuxProject/refpolicy


p.s.: IRC is available at #selinux on Freenode

___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel

Re: [DSE-Dev] Question regarding shipping a SELinux Policy in Package

[Paul Tagliamonte]

> I think there aren't docs about how to ship SELinux policies with
> application packages, because that's not the way it's done.
> There are several reasons:
> * The package shipped policy module might not compile/load on the
> system, cause the system policy can use different types/attributes
> etc.
> * The system administrator might not want to install policy modules
> shipped by applications, because of
> trust/compatibility/maintainability/integrity.
> * The shipped policy module might not fit everyone's needs: for one it
> might be too permissive, for the next to restricted

I see. That makes some amount of sense!

> You can try to introduce a policy for your package into the official
> upstream Reference Policy [1], which is the base for the Debian
> policy.

Hurm, ok! That also sounds sensible. It also sounds very heavy-weight.

> (If necessary you could ship the SELinux policy source files under
> /usr/share/my_package/selinux/ and hint users at it.)

Ah, this is a great idea! I wasn't sure if there was some system that
would allow for loading of SELinux modules automatically (not unlike
how vim does configuration -- if you're using the system config, the
system module loading can handle it, otherwise you have your own setup,
I didn't know if SELinux made the same assumption about "targeted" and
"mls" being "from the distro" and therefore trust all distro packages to provide
sensible policy) It does sound like like that is expressly not supported by
design -- which, fair enough!

> Best regards,
>   Christian Göttsche
>
> [1]: https://github.com/SELinuxProject/refpolicy
>
>
> p.s.: IRC is available at #selinux on Freenode

Ah yes, I joined that last night after sending this mail - wasn't sure if
Debian-specific questions were appropriate there. Are they? I assumed
this was a packaging related question, because I did not understand
our relation to the upstream policy.

Thank you very much!
  paultag


-- 
:wq

___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel