Portal:SELinux/PackagingCustomPolicy

Jump to: navigation, search

In openSUSE, there are two ways to ship a custom policy module:

Both options have pros and cons, which are detailed below.

Submission policy

Please reach out to the SELinux working group before submitting a policy module to openSUSE:Factory, even if it is "only" in your own package and written by upstream. Custom policy modules can break not only the package, but also other parts of the system when inconsistencies or mistakes are introduced. The SELinux working group will then keep track of, review and advise in case of custom policies.

Please note that the SELinux working group is not responsible for fixing bugs in customized SELinux policies that are shipped outside the main policy (aka Option 2).

Option 1: Shipping a custom policy module via the main policy

You can request your custom policy module to be added to the main policy by contacting the SELinux working group. This is recommended, if you are writing an openSUSE specific module that will not have an upstream or will not be accepted into upstream.

Pro:

  • The SELinux working group will review and maintain the custom policy module inside the main policy

Con:

  • When changes are required, you will need to coordinate with the SELinux working group and fixes will be only available when the main selinux-policy package is released

Option 2: Shipping a custom policy module via the corresponding package

You can ship your custom policy module alongside the package it is written for. This is recommended, when the custom policy module has an active upstream project. Examples for packages that do this are flatpak and cockpit.

Pro:

  • You can directly change modules inside your package and ship the module at the same time as the system update.

Con:

  • The chance of breaking other parts of the system due to inconsistencies are higher

Adding a policy module to your package

Retrieved from "https://en.opensuse.org/index.php?title=Portal:SELinux/PackagingCustomPolicy&oldid=185167"