From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 54: | Line 54: | ||
{{admon/note|TODO|The goal of this section is to help users understand how to include SELinux policy inside of Fedora Modules, the lessons learned from the memcached prototype should be very helpful here.}} | {{admon/note|TODO|The goal of this section is to help users understand how to include SELinux policy inside of Fedora Modules, the lessons learned from the memcached prototype should be very helpful here.}} | ||
TODO - discussion/explanation | |||
=== Adding the SELinux Policy to the Module Install Profiles === | |||
{{admon/note|TODO|This subsection should document the how the included SELinux policy should be handled by the various module installation profiles, paying special attention to the "normal" (install the policy) and "container" (DO NOT install the policy) use cases. If any special dnf configuration is needed it should be described here as well.}} | |||
TODO - see what we did for the memcached prototype, especially the notes about adding the policy RPM to the profiles | |||
TODO - verify that the final decision was to add the policy packages to the default profile | |||
Revision as of 14:51, 14 December 2017
Work in progress
This page is a work in progress, see the inline TODO notes. We suggest visiting SELinuxModularity for more information.
This page is a work in progress, see the inline TODO notes. We suggest visiting SELinuxModularity for more information.
Configuring the Development Environment
TODO
The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules. Any temporary hacks that are required should be called out in admon/important notes.
The goal of this section is to help people setup their system to build SELinux policy and Fedora Modules. Any temporary hacks that are required should be called out in admon/important notes.
Building RPMs and Fedora Modules
TODO
This subsection should cover the general installation and setup of the tools and packages necessary to build both RPMs and Fedora Modules.
This subsection should cover the general installation and setup of the tools and packages necessary to build both RPMs and Fedora Modules.
TODO - discussion/explanation
# dnf install module-build-service
Building SELinux Policy
TODO
This subsection should cover the general installation and setup of the tools and packages necessary to build SELinux policy.
This subsection should cover the general installation and setup of the tools and packages necessary to build SELinux policy.
TODO - discussion/explanation
# dnf install selinux-policy-devel rpm-build
Packaging SELinux Policy
TODO
The goal of this section is to help people understand how to package individual SELinux policy modules into a RPM; we should work closely with the Independent Policy Project (IPP), perhaps simply linking to IPP wiki docs if/when they exist.
The goal of this section is to help people understand how to package individual SELinux policy modules into a RPM; we should work closely with the Independent Policy Project (IPP), perhaps simply linking to IPP wiki docs if/when they exist.
TODO - explain and link to SELinux/IndependentPolicy in this section
SELinux Policy Priorities
TODO
This subsection should cover the prioritized policy store, explaining the different levels used in Fedora.
This subsection should cover the prioritized policy store, explaining the different levels used in Fedora.
Q - what priority do we expect policy developers/packagers to use here?
SELinux Base Policies
TODO
This subsection should cover the different SELinux base policies, e.g. targeted vs MLS, and explain how to handle this in the specfiles.
This subsection should cover the different SELinux base policies, e.g. targeted vs MLS, and explain how to handle this in the specfiles.
Q - have we tried packaging both a MLS and targeted policy module in the memcached prototype? If not, this is something we should do to verify that it works as expected.
Example SELinux Policy RPM specfile
TODO
This subsection should provide an example SELinux policy module specfile with comments and annotations.
This subsection should provide an example SELinux policy module specfile with comments and annotations.
TODO - we can use the memcached policy specfile here
Bundling SELinux Policy RPMs in Fedora Modules
TODO
The goal of this section is to help users understand how to include SELinux policy inside of Fedora Modules, the lessons learned from the memcached prototype should be very helpful here.
The goal of this section is to help users understand how to include SELinux policy inside of Fedora Modules, the lessons learned from the memcached prototype should be very helpful here.
TODO - discussion/explanation
Adding the SELinux Policy to the Module Install Profiles
TODO
This subsection should document the how the included SELinux policy should be handled by the various module installation profiles, paying special attention to the "normal" (install the policy) and "container" (DO NOT install the policy) use cases. If any special dnf configuration is needed it should be described here as well.
This subsection should document the how the included SELinux policy should be handled by the various module installation profiles, paying special attention to the "normal" (install the policy) and "container" (DO NOT install the policy) use cases. If any special dnf configuration is needed it should be described here as well.
TODO - see what we did for the memcached prototype, especially the notes about adding the policy RPM to the profiles TODO - verify that the final decision was to add the policy packages to the default profile