Portal:SELinux/Differences to fedora policy

The openSUSE SELinux policy uses the Fedora SELinux policy as upstream with some changes for openSUSE-specific needs. That means, most documentation for Fedora is also applicable to openSUSE.

The openSUSE SELinux git repository can be found at: https://github.com/openSUSE/selinux-policy

The main differences from the Fedora policy, which are not documented here, are:

• Differences in file context paths that are (open)SUSE specific (e.g. different file context equivalencies)
• Policy modules for (open)SUSE specific software
• Bug fixes that are (open)SUSE specific

This page documents the user-visible differences in the policy, such as booleans, ports and more.

openSUSE specific booleans

The openSUSE SELinux policy has different booleans enabled by default. These can be seen here

Additionally, there are openSUSE specific booleans, which are listed below:

rsync_exec_commands (bsc#1231494)

We use a wrapper script for rsyncd because we don't want to label the main executable with rsync_exec_t to prevent it from transitioning out of unconfined domains. The wrapper script needs the ability to execute commands. Since this is necessary for some rsync configurations, we introduced a boolean for this.

unconfined_service_transition_to_unconfined_user (bsc#1233738)

This boolean allows unconfined_service_t to transition to unconfined_t. Usually you don't want this, but in cases where you spawn user sessions from unconfined services it can be necessary.

xen_use_qemu_for_dom0_disk_backend (bsc#1228540)

Usually qemu-system-i386 is not run by systemd as daemon. This boolean allows it to be run as systemd daemon for xen to use qemu as dom0 disk backend.