Portal:SELinux/PackagingCustomPolicy
In openSUSE, there are two ways to ship a custom policy module:
- via the main SELinux policy
- via the own package (outside the main policy)
Both options have pros and cons, which are detailed below.
Submission policy
Please reach out to the SELinux working group before submitting a policy module to openSUSE:Factory, even if it is "only" in your own package and written by upstream. Custom policy modules can break not only the package, but also other parts of the system when inconsistencies or mistakes are introduced. The SELinux working group will then keep track of, review and advise in case of custom policies. If you want us to have a deeper look please open an AUDIT-0 bug for us as described here.
Please note that the SELinux working group is not responsible for fixing bugs in customized SELinux policies that are shipped outside the main policy (aka Option 2). We strongly recommend Option 1.
Option 1: Shipping a custom policy module via the main policy
You can request your custom policy module to be added to the main policy by contacting the SELinux working group. This is recommended, if you are writing an openSUSE specific module that will not have an upstream or will not be accepted into upstream.
Pro:
- The SELinux working group will review and maintain the custom policy module inside the main policy
Con:
- When changes are required, you will need to coordinate with the SELinux working group and fixes will be only available when the main selinux-policy package is released
Option 2: Shipping a custom policy module via the corresponding package
You can ship your custom policy module alongside the package it is written for. This is recommended, when the custom policy module has an active upstream project. Examples for packages that do this are flatpak and cockpit.
Pro:
- You can directly change modules inside your package and ship the module at the same time as the system update.
Con:
- The chance of breaking other parts of the system due to inconsistencies are higher
Adding a policy module to your package
- Please to this guide in the fedora wiki: https://fedoraproject.org/wiki/SELinux/IndependentPolicy