This is a draft of a future packaging guidelines changes related to packaging SELinux modules. The text will be based on the original draft from 2012 - https://fedoraproject.org/wiki/PackagingDrafts/SELinux, but it will contain several process improvements.

Use macros

Some operations can done using macro defined in selinux-policy. It allows to ensure that SELinux modules and policy packaging is consistent across variety systems.

Since selinux-policy-x.y.z.fcNN, there are several macros available which simplify spec files and help an maintainer do the right thing.


If you ship your own SELinux policy module, you should use these two macros to install and uninstall the module.

%post selinux
%selinux_modules_install -s %selinuxtype $MODULES
%postun selinux
%selinux_modules_uninstall -s %selinuxtype %{modulenames}


If your module defines a file type and specifies a particular file context, you should relabel you filesystem after the module is installed or uninstalled. Relabeling of the whole filesystem can take really long time.

%selinux_relabel_pre macro, which should be run in %pre phrase, prepares a back up of the current file contexts list.

And %selinux_relabel_post macro use the backup and relabels only differences among the old and the new list.

%global selinuxtype targeted
+%pre selinux
+%selinux_relabel_pre -s %selinuxtype
+%posttrans selinux
+%selinux_relabel_post -s %selinuxtype


Since SELinux userspace release 2.4 or Fedora 24 SELinux module store supports priorities.

It allows us to distinguish system SELinux policy modules from custom SELinux policy modules. When multiple modules with the same name are present, the one with highest priority is used. It’s an ability to override a system module with a module with the same name and with a higher priority.

Priorities could be used according to the nspecification bellow.

100 - system modules from selinux-policy

The priority 100 is reserved for system modules which come from selinux-policy* packages. No other package should use this priority. In selinux-policy.spec file we use this construction:

SEMODULE="semodule -p %{buildroot} -X 100 "

200 - modules from other packages

All other packages which ship and install their own modules should use -X 200. E.g. for docker package it would mean to change its spec file

-%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
+%{_sbindir}/semodule -n -s %{selinuxtype} -X 200 -i $MODULES

300 - modules based on setroubleshoot suggestions

SETroubleshoot in Fedora already suggests users to use the priority 300. It suggests the following construction how to create their own modules

You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c sshd --raw | audit2allow -M my-sshd
# semodule -X 300 -i my-sshd.pp

400 - default

This priority is used by default when semodule is called without -X or --priority