From Fedora Project Wiki

(Draft.)
No edit summary
Line 33: Line 33:


== Packaging SELinux Policy ==
== Packaging SELinux Policy ==
{{admon/tip| Independent Policy Project | Please see the [https://docs.fedoraproject.org//en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/Security-Enhanced_Linux-prioritizing_sepolicy_modules.html Independent Policy Project wiki] for in-depth guide on custom SELinux policy module packaging.}}
{{admon/tip| Independent Policy Project | Please see the [https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy Independent Policy Project wiki] for in-depth guide on custom SELinux policy module packaging.}}


From modularity point of view the SELinux policy needs to be available in the form of RPM package. It's up to the maintainer to choose weather the policy package is standalone or a sub-package of the corresponding software. The former is covered by the [https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy Independent Policy Project (IPP) wiki]. The latter only differs in the RPM spec file and can be seen in the [https://src.fedoraproject.org/rpms/memcached memcached package].
From modularity point of view the SELinux policy needs to be available in the form of RPM package. It's up to the maintainer to choose whether the policy package is standalone or a sub-package of the corresponding software. The former is covered by the [https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy Independent Policy Project (IPP) wiki]. The latter only differs in the RPM spec file and can be seen in the [https://src.fedoraproject.org/rpms/memcached memcached package].


=== SELinux Policy Priorities ===
=== SELinux Policy Priorities ===
Line 45: Line 45:
=== SELinux Base Policies ===
=== SELinux Base Policies ===


{{admon/note|TODO|This subsection should cover the different SELinux base policies, e.g. targeted vs MLS, and explain how to handle this in the specfiles.}}
There are 3 different base policies available on Fedora also referred to as ''policy types''. ''Targeted'' is the most commonly used and is the default policy type. ''MLS'' is significantly more strict and utilizes all the capabilities of Multi Level Security to comply with high security standards. ''Minimal'' is a policy type used on small devices (less overhead) or as a base for highly customized security policies.
 
Q - have we tried packaging both a MLS and targeted policy module in the memcached prototype?  If not, this is something we should do to verify that it works as expected.
 
No, only targeted so far.


It is usually best to ship single custom policy module for all supported policy types, using conditional statements for rules specific to single policy type. For more complex policies it is also possible to ship separate policy modules. In that case all the steps described in the IPP documentation would be duplicated, making use of the "policy type" parameter when available.


=== Example SELinux Policy RPM specfile ===
=== Example SELinux Policy RPM specfile ===
Line 78: Line 75:
=== Adding the SELinux Policy to the Module Install Profiles ===
=== Adding the SELinux Policy to the Module Install Profiles ===


Including the SELinux policy module in the Fedora module makes no difference unless the policy module is part of one or more install profiles.
For user convenience it is also recommended to include the policy package in one or more install profiles, which serve as suggestions for which packages should be installed in listed use cases.


It is recommended to include the policy RPM in the '''default''' install profile. Depending on the primary component it may be useful to include an install profile without the policy module to be used for example inside a container. The policy does not take effect inside a container and would only bring unnecessary dependencies.
It is recommended to have the policy RPM as part of the '''default''' install profile. Depending on the primary component it may be useful to include an install profile without the policy module to be used for example inside a container. The policy does not take effect inside a container and would only bring in unnecessary dependencies.


<pre>
<pre>

Revision as of 14:40, 9 November 2018

Work in progress
This page is a work in progress, see the inline TODO notes. We suggest visiting SELinuxModularity for more information.

Configuring the Development Environment

The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules.

Building Fedora Modules

Module build is facilitated by the fm-oschestrator (module-build-service package), which is controlled by a set of fedpkg commands.

# dnf install fedpkg module-build-service

Building SELinux Policy modules and RPMs

SELinux policy module build is a multi step process covered by a Makefile provided by selinux-policy-devel pacakge together with all the necessary tools. Since the finished module will be packaged in an rpm, we also need rpm-build package.

The following is only necessary for local testing of the SELinux policy package since the build is otherwise done by the module-build-service.

# dnf install selinux-policy-devel rpm-build

FM repositories

By default dnf does not have access to FM repositories even though it is able to work with modules. Install "fedora-repos-modular-<fedora version>" package to gain acces to "Fedora Modular" modules.

# dnf install fedora-repos-modular-28

Packaging SELinux Policy

Independent Policy Project
Please see the Independent Policy Project wiki for in-depth guide on custom SELinux policy module packaging.

From modularity point of view the SELinux policy needs to be available in the form of RPM package. It's up to the maintainer to choose whether the policy package is standalone or a sub-package of the corresponding software. The former is covered by the Independent Policy Project (IPP) wiki. The latter only differs in the RPM spec file and can be seen in the memcached package.

SELinux Policy Priorities

Documentation
For more information about SELinux policy module priorities please see SELinux Users and Administrators Guide.

Priority 200 should be used for all custom policy modules falling under IPP project regardless of the means of distribution (FM, RPM, ...). This value is set in the %selinux_modules_install macro and should not be overridden by package maintainers.

SELinux Base Policies

There are 3 different base policies available on Fedora also referred to as policy types. Targeted is the most commonly used and is the default policy type. MLS is significantly more strict and utilizes all the capabilities of Multi Level Security to comply with high security standards. Minimal is a policy type used on small devices (less overhead) or as a base for highly customized security policies.

It is usually best to ship single custom policy module for all supported policy types, using conditional statements for rules specific to single policy type. For more complex policies it is also possible to ship separate policy modules. In that case all the steps described in the IPP documentation would be duplicated, making use of the "policy type" parameter when available.

Example SELinux Policy RPM specfile

See memcached-selinux spec file for example of standalone SELinux policy RPM spec file, or memcached spec file for example of SELinux policy subpackage.

Bundling SELinux Policy RPMs in Fedora Modules

Fedora Modularity Documentation
Please see the Fedora Modularity Documentation for complete guide on writing modulemd files
Repositories
Please note that this Guidance document assumes two repositories. SELinux policy RPM repository (whether a sub-package or standalone package) is located in https://src.fedoraproject.org/rpms/ and the Fedora modularity module repository in https://src.fedoraproject.org/modules/ .

Including the policy RPM in a Fedora module is as simple as specifying the RPM source repository name and branch in the components section of the modulemd file.

    components:
        rpms:
            foo:  
                rationale: Primary component of this module.  
                ref: master
            foo-selinux:
                rationale: Provides SELinux policy for foo   
                ref: master

In case the SELinux policy RPM is a sub-package, this step is already done (the Module Build Service (MBS) will build the specified component including all sub-packages automatically.)

Adding the SELinux Policy to the Module Install Profiles

For user convenience it is also recommended to include the policy package in one or more install profiles, which serve as suggestions for which packages should be installed in listed use cases.

It is recommended to have the policy RPM as part of the default install profile. Depending on the primary component it may be useful to include an install profile without the policy module to be used for example inside a container. The policy does not take effect inside a container and would only bring in unnecessary dependencies.

    profiles:
        default:
            rpms:
                - foo
                - foo-selinux
        container:
            rpms:
                - foo

Complete example modulemd file which includes SELinux policy module RPM (sub-package) can be seen in the memcached module repository.