Hi,

On 05. 09. 21 15:29, Sam Varshavchik wrote:
Vitaly Zaitsev via devel writes:

On 05/09/2021 14:52, Sam Varshavchik wrote:
if only a great, overwhelming majority of Fedora package maintainers were able to write policies for their own packages and maintain it themselves because SELinux documentation was ample and easy to fllow

https://pagure.io/packaging-committee/issue/726
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

Which parts of the above describe, and explain, how to write the SELinux policy itself? Once it's written that's a great piece of documentation to follow, to explain how to package this policy. But this is putting the cart before the horse. The package maintainers have to actually understand how to write SELinux policies, first.

Yes, this is a valid point and we should definitely do something about it. There is quite a few sources and tools (arguably often not properly publicly documented) a policy developer can use. But we could use a single go-to place, that would get a new policy writer/maintainer started.

SELinux notebook - https://github.com/SELinuxProject/selinux-notebook/ - something like the "Maximum RPM" you mentioned
SELinux Project wiki - http://selinuxproject.org/page/Main_Page

Tools:
* sepolicy-generate - generates an initial SELinux policy module template
* audit2allow - generates policy rules, or even interface calls covering given AVC messages
* macro-expander - expands given macro/interface call into a list of policy rules - https://lukas-vrabec.com/index.php/2019/02/03/new-trick-macro-expander/

Again, I realize these can be hard to find/understand, which is why I appreciate this feedback and I'll do my best to act on it (we already discussed this within SELinux team and came up with some action items).

The packaging guidelines draft referenced above is based on https://fedoraproject.org/wiki/SELinux/IndependentPolicy. This guideline is part of Decentralized SELinux Policy project, designed to help developers "adopt" a policy their package is using. As was already discussed in this thread, a few packages are already part of this project and more are on the way.

Sincerely,

Vit





The problem isn't the technical details of how to package an SELinux policy with the packge.

The problem is the domain knowledge needed to write that SELinux policy in the first place. It's siloed mostly in the selinux package itself. I assert that the documentation above is not going to be useful to 95% of the package maintainers. A few of them will know how to write a policy, and then follow the above wiki. The rest will not. Prove me wrong.

I posted this link before:

https://raw.githubusercontent.com/svarshavchik/libcxx/master/packaging/fedora/libcxx.te

Where is the documentation that explains /all/ of the above, and what it means? I wrote that policy, of course, but even now, just a short time later, I can't for the life of me tell you where all that documentation is. Because there isn't, I had to figure out based on scraps of other selinux policies that I looked at, and based on my experience with other stuff that did NOT involve SELinux.

You will not find any documentation that explains /all/ of that on https://selinuxproject.org

And at most 5% of the above is explained in

https://selinuxproject.org/page/RefpolicyWriteModule

And until the state of the world is such that SELinux is not a siloed domain, that it's amply documented, and package maintainers have documentation that they can use to write their own policy, for the package that they fully understand and support, SELinux will continue to break random stuff, over and over again. 


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure