From Fedora Project Wiki

No edit summary
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{admon/important|Work in progress|This page is a work in progress, see the inline TODO notes.  We suggest visiting [[SELinuxModularity]] for more information.}}


== Configuring the Development Environment ==
== Configuring the Development Environment ==


{{admon/note|TODO|The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules. Any temporary hacks that are required should be called out in admon/important notes.}}
The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules.


=== Building RPMs and Fedora Modules ===
=== Building Fedora Modules ===


{{admon/note|TODO|This subsection should cover the general installation and setup of the tools and packages necessary to build both RPMs and Fedora Modules.}}
Module build is facilitated by the fm-oschestrator (''module-build-service'' package), which is controlled by a set of ''fedpkg'' commands.  
 
TODO - discussion/explanation


<pre>
<pre>
# dnf install module-build-service
# dnf install fedpkg module-build-service
</pre>
</pre>


=== Building SELinux Policy ===
=== Building SELinux Policy modules and RPMs ===


{{admon/note|TODO|This subsection should cover the general installation and setup of the tools and packages necessary to build SELinux policy.}}
SELinux policy module build is a multi step process covered by a Makefile provided by ''selinux-policy-devel'' package together with all the necessary tools. Since the finished module will be packaged in an rpm, we also need ''rpm-build'' package.  


TODO - discussion/explanation
The following is only necessary for local testing of the SELinux policy package since the build is otherwise done by the module-build-service.


<pre>
<pre>
# dnf install selinux-policy-devel rpm-build
# dnf install selinux-policy-devel rpm-build
</pre>
=== FM repositories ===
By default dnf does not have access to FM repositories even though it is able to work with modules. Install "fedora-repos-modular-<fedora version>" package to gain acces to "Fedora Modular" modules.
<pre>
# dnf install fedora-repos-modular-28
</pre>
</pre>


== Packaging SELinux Policy ==
== Packaging SELinux Policy ==
{{admon/tip| Independent Policy Project | Please see the [https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy Independent Policy Project wiki] for in-depth guide on custom SELinux policy module packaging.}}


{{admon/note|TODO|The goal of this section is to help people understand how to package individual SELinux policy modules into a RPM; we should work closely with the Independent Policy Project (IPP), perhaps simply linking to IPP wiki docs if/when they exist.}}
From modularity point of view the SELinux policy needs to be available in the form of RPM package. It's up to the maintainer to choose whether the policy package is standalone or a sub-package of the corresponding software. The former is covered by the [https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy Independent Policy Project (IPP) wiki]. The latter only differs in the RPM spec file and can be seen in the [https://src.fedoraproject.org/rpms/memcached memcached package].
 
TODO - explain and link to [[SELinux/IndependentPolicy]] in this section


=== SELinux Policy Priorities ===
=== SELinux Policy Priorities ===


{{admon/note|TODO|This subsection should cover the prioritized policy store, explaining the different levels used in Fedora.}}
{{admon/tip| Documentation | For more information about SELinux policy module priorities please see [https://docs.fedoraproject.org//en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/Security-Enhanced_Linux-prioritizing_sepolicy_modules.html SELinux Users and Administrators Guide].}}


Q - what priority do we expect policy developers/packagers to use here?
Priority 200 should be used for all custom policy modules falling under IPP project regardless of the means of distribution (FM, RPM, ...). This value is set in the %selinux_modules_install macro and should not be overridden by package maintainers.


=== SELinux Base Policies ===
=== SELinux Base Policies ===


{{admon/note|TODO|This subsection should cover the different SELinux base policies, e.g. targeted vs MLS, and explain how to handle this in the specfiles.}}
There are 3 different base policies available on Fedora also referred to as ''policy types''. ''Targeted'' is the most commonly used and is the default policy type. ''MLS'' is significantly more strict and utilizes all the capabilities of Multi Level Security to comply with high security standards. ''Minimum'' is a policy type used on small devices (less overhead) or as a base for highly customized security policies.


Q - have we tried packaging both a MLS and targeted policy module in the memcached prototype?  If not, this is something we should do to verify that it works as expected.
It is usually best to ship single custom policy module for all supported policy types, using conditional statements for rules specific to single policy type. For more complex policies it is also possible to ship separate policy modules. In that case all the steps described in the IPP documentation would be duplicated, making use of the "policy type" parameter when available.


=== Example SELinux Policy RPM specfile ===
=== Example SELinux Policy RPM specfile ===


{{admon/note|TODO|This subsection should provide an example SELinux policy module specfile with comments and annotations.}}
See [https://pagure.io/memcached-selinux/blob/master/f/memcached-selinux.spec memcached-selinux spec file] for example of standalone SELinux policy RPM spec file, or [https://src.fedoraproject.org/rpms/memcached/blob/master/f/memcached.spec memcached spec file] for example of SELinux policy subpackage.


TODO - we can use the memcached policy specfile here
== Bundling SELinux Policy RPMs in Fedora Modules ==


== Bundling SELinux Policy RPMs in Fedora Modules ==
{{admon/tip|Fedora Modularity Documentation| Please see the [https://docs.fedoraproject.org/en-US/modularity/making-modules/defining-modules/ Fedora Modularity Documentation] for complete guide on writing modulemd files}}
 
{{admon/note|Repositories| Please note that this Guidance document assumes two repositories. SELinux policy RPM repository (whether a sub-package or standalone package) is located in https://src.fedoraproject.org/rpms/ and the Fedora modularity module repository in https://src.fedoraproject.org/modules/ .}}


{{admon/note|TODO|The goal of this section is to help users understand how to include SELinux policy inside of Fedora Modules, the lessons learned from the memcached prototype should be very helpful here.}}
Including the policy RPM in a Fedora module is as simple as specifying the RPM source repository name and branch in the components section of the modulemd file.  
<pre>
    components:
        rpms:
            foo: 
                rationale: Primary component of this module. 
                ref: master
            foo-selinux:
                rationale: Provides SELinux policy for foo 
                ref: master
</pre>


TODO - discussion/explanation
In case the SELinux policy RPM is a sub-package, this step is already done (the Module Build Service (MBS) will build the specified component including all sub-packages automatically.)


=== Adding the SELinux Policy to the Module Install Profiles ===
=== Adding the SELinux Policy to the Module Install Profiles ===


{{admon/note|TODO|This subsection should document the how the included SELinux policy should be handled by the various module installation profiles, paying special attention to the "normal" (install the policy) and "container" (DO NOT install the policy) use cases. If any special dnf configuration is needed it should be described here as well.}}
For user convenience it is also recommended to include the policy package in one or more install profiles, which serve as suggestions for which packages should be installed in listed use cases.
 
It is recommended to have the policy RPM as part of the '''default''' install profile. Depending on the primary component it may be useful to include an install profile without the policy module to be used for example inside a container. The policy does not take effect inside a container and would only bring in unnecessary dependencies.
 
<pre>
    profiles:
        default:
            rpms:
                - foo
                - foo-selinux
        container:
            rpms:
                - foo
</pre>


TODO - see what we did for the memcached prototype, especially the notes about adding the policy RPM to the profiles
Complete example ''modulemd'' file which includes SELinux policy module RPM (sub-package) can be seen in the [https://src.fedoraproject.org/modules/memcached/blob/master/f/memcached.yaml memcached module repository].
TODO - verify that the final decision was to add the policy packages to the default profile

Latest revision as of 12:55, 28 November 2018

Configuring the Development Environment

The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules.

Building Fedora Modules

Module build is facilitated by the fm-oschestrator (module-build-service package), which is controlled by a set of fedpkg commands.

# dnf install fedpkg module-build-service

Building SELinux Policy modules and RPMs

SELinux policy module build is a multi step process covered by a Makefile provided by selinux-policy-devel package together with all the necessary tools. Since the finished module will be packaged in an rpm, we also need rpm-build package.

The following is only necessary for local testing of the SELinux policy package since the build is otherwise done by the module-build-service.

# dnf install selinux-policy-devel rpm-build

FM repositories

By default dnf does not have access to FM repositories even though it is able to work with modules. Install "fedora-repos-modular-<fedora version>" package to gain acces to "Fedora Modular" modules.

# dnf install fedora-repos-modular-28

Packaging SELinux Policy

Independent Policy Project
Please see the Independent Policy Project wiki for in-depth guide on custom SELinux policy module packaging.

From modularity point of view the SELinux policy needs to be available in the form of RPM package. It's up to the maintainer to choose whether the policy package is standalone or a sub-package of the corresponding software. The former is covered by the Independent Policy Project (IPP) wiki. The latter only differs in the RPM spec file and can be seen in the memcached package.

SELinux Policy Priorities

Documentation
For more information about SELinux policy module priorities please see SELinux Users and Administrators Guide.

Priority 200 should be used for all custom policy modules falling under IPP project regardless of the means of distribution (FM, RPM, ...). This value is set in the %selinux_modules_install macro and should not be overridden by package maintainers.

SELinux Base Policies

There are 3 different base policies available on Fedora also referred to as policy types. Targeted is the most commonly used and is the default policy type. MLS is significantly more strict and utilizes all the capabilities of Multi Level Security to comply with high security standards. Minimum is a policy type used on small devices (less overhead) or as a base for highly customized security policies.

It is usually best to ship single custom policy module for all supported policy types, using conditional statements for rules specific to single policy type. For more complex policies it is also possible to ship separate policy modules. In that case all the steps described in the IPP documentation would be duplicated, making use of the "policy type" parameter when available.

Example SELinux Policy RPM specfile

See memcached-selinux spec file for example of standalone SELinux policy RPM spec file, or memcached spec file for example of SELinux policy subpackage.

Bundling SELinux Policy RPMs in Fedora Modules

Fedora Modularity Documentation
Please see the Fedora Modularity Documentation for complete guide on writing modulemd files
Repositories
Please note that this Guidance document assumes two repositories. SELinux policy RPM repository (whether a sub-package or standalone package) is located in https://src.fedoraproject.org/rpms/ and the Fedora modularity module repository in https://src.fedoraproject.org/modules/ .

Including the policy RPM in a Fedora module is as simple as specifying the RPM source repository name and branch in the components section of the modulemd file.

    components:
        rpms:
            foo:  
                rationale: Primary component of this module.  
                ref: master
            foo-selinux:
                rationale: Provides SELinux policy for foo   
                ref: master

In case the SELinux policy RPM is a sub-package, this step is already done (the Module Build Service (MBS) will build the specified component including all sub-packages automatically.)

Adding the SELinux Policy to the Module Install Profiles

For user convenience it is also recommended to include the policy package in one or more install profiles, which serve as suggestions for which packages should be installed in listed use cases.

It is recommended to have the policy RPM as part of the default install profile. Depending on the primary component it may be useful to include an install profile without the policy module to be used for example inside a container. The policy does not take effect inside a container and would only bring in unnecessary dependencies.

    profiles:
        default:
            rpms:
                - foo
                - foo-selinux
        container:
            rpms:
                - foo

Complete example modulemd file which includes SELinux policy module RPM (sub-package) can be seen in the memcached module repository.