Multiple SELinux modules installed on system. Why?

In current Fedora 32 Beta, if you have freeipa-server package present on your system, you can see that SELinux module “ipa” is enabled twice. You can check it using semodule command. The parameter “-lfull” lists all modules including priorities.

# semodule -lfull | grep -w ipa
200 ipa               pp         
100 ipa               pp       

What does it mean?

SELinux module with priority 100 brings distribution SELinux policy (selinux-policy rpm package). SELinux module with priority 200 brings package freeipa-selinux. This indicates that FreeIPA project ships a custom version of SELinux security policy for their services. It’s important to say that only module with the highest priority is active, in this case, it’s 200.

Why FreeIPA ships SELinux policy module?

Because SELinux policy is aligned with a component and it brings multiple benefits, such as:

  • SELinux denials related to FreeIPA are known during testing phase before new version lands in Fedora
  • Developers are aware of unwanted changes in the code because SELinux policy for FreeIPA is well defined and can show new not allowed operations
  • Planning and changes are known by the maintainers close to the component
  • Threat surface is better understood and thus strictness of policy is decided by the right expert

This solution helps developers and also users to increase both the security and usability of Fedora system!

Guidance, how to ship custom policy is available here.