Shipping custom module using SELinux priorities

Hello everyone!

Some time ago I introduced first part of shipping own custom module with rpm package of your application. This solution allows you to maintain your own SELinux policy module which brings lot of benefits like:

  • changes in policy can be modified immediately
    • no need to wait while selinux maintainer will fix it
  • independent from selinux-policy distro updates
    • policy changes will be updates together with your application
  • own policy module can reflect lates features inside application
    • policy and application will be synchronized

However technical solution had some troubles introduced in second part. This issues disappeared with new release of SELinux userspace (>=2.4).  New userspace brings feature call module priorities.  Benefits of this feature are described in following example:

$ rpm -q docker-selinux
package docker-selinux is not installed

# semodule -lfull | grep docker
100 docker            pp