selinux from developer - linuxdays · selinux policy will be always synchronized with a product....
TRANSCRIPT
![Page 1: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/1.jpg)
SELinux from Developer POV
LinuxDays 2017
Lukas VrabecVit Mojzis
![Page 2: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/2.jpg)
Virtual machine setup ● http://lukas-vrabec.com/image_selinux.tar.xz
● Run “virtual machine manager”
● Create new virtual machine
○ Import existing image
○ Os Type - Linux
○ Customize configuration before install
■ Add hardware
● Storage, CDROM, cloudinit_iso
![Page 3: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/3.jpg)
Agenda● Why SELinux ?
● Why ship your own SELinux module ?
● How can I add custom SELinux module into project rpms?
● How can I create Fedora module with custom SELinux module?
![Page 4: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/4.jpg)
Why SELinux?
![Page 5: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/5.jpg)
REACTIVE SECURITY
![Page 6: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/6.jpg)
![Page 7: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/7.jpg)
YOUR SYSTEM IS NOT PROTECTED DURING THE WINDOW OF VULNERABILITY!
![Page 8: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/8.jpg)
PROACTIVE SECURITY
![Page 9: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/9.jpg)
![Page 10: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/10.jpg)
PROACTIVE SECURITY HELPS TO PROTECT YOUR SYSTEM DURING THE WINDOW OF VULNERABILITY!
![Page 11: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/11.jpg)
SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR
YOUR SYSTEM.
![Page 12: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/12.jpg)
Traditional Linux Security
![Page 13: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/13.jpg)
$ ls -dl /var/www/html/
drwx r-x r-x. 2 root root /var/www/html/
USER GROUP ALL
![Page 14: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/14.jpg)
SELinux Security Policy
![Page 15: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/15.jpg)
CORE COMPONENT OF SELINUX
![Page 16: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/16.jpg)
CORE COMPONENT OF SELINUX
COLLECTION OF SELINUX POLICY RULES
![Page 17: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/17.jpg)
CORE COMPONENT OF SELINUX
COLLECTION OF SELINUX POLICY RULES
LOADED INTO THE KERNEL BY SELINUX USERSPACE TOOLS
![Page 18: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/18.jpg)
ENFORCED BY THE KERNEL
![Page 19: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/19.jpg)
ENFORCED BY THE KERNEL
USED TO AUTHORIZE ACCESS REQUESTS ON THE SYSTEM
![Page 20: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/20.jpg)
BY DEFAULT EVERYTHING IS DENIED AND YOU DEFINE POLICY RULES TO ALLOW CERTAIN
REQUESTS.
![Page 21: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/21.jpg)
SELINUX POLICY RULES
![Page 22: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/22.jpg)
DESCRIBE AN INTERACTION BETWEEN PROCESSES AND SYSTEM RESOURCES
![Page 23: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/23.jpg)
SELINUX VIEW OF THAT INTERACTION
![Page 24: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/24.jpg)
ALLOW apache_process apache_log:FILE READ;
![Page 25: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/25.jpg)
apache_process apache_log
ARE LABELS
![Page 26: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/26.jpg)
LABELS
![Page 27: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/27.jpg)
ASSIGNED TO PROCESSES
![Page 28: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/28.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
![Page 29: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/29.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
BY SELINUX SECURITY POLICY
![Page 30: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/30.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
BY SELINUX SECURITY POLICY
MAP REAL SYSTEM ENTITIES INTO THE SELINUX WORLD
![Page 31: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/31.jpg)
LABELS IN REALITY
![Page 32: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/32.jpg)
STORED IN EXTENDED ATTRIBUTES OF FILE SYSTEMS - EXT2,EXT3, EXT4 ...
![Page 33: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/33.jpg)
# getfattr -n security.selinux /etc/passwdgetfattr: Removing leading '/' from absolute path
names# file: etc/passwd
security.selinux="system_u:object_r:passwd_file_t:s0"
# ls -Z /etc/passwdsystem_u:object_r:passwd_file_t:s0 /etc/passwd
![Page 34: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/34.jpg)
Benefits of shipping own SELinux module
![Page 35: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/35.jpg)
● Changes in a policy can be modified immediately, so the product package maintainer does not need to wait until the distribution SELinux policy is updated.
● Policy changes in product SELinux policy can be released together with changes in product package so SELinux policy will be always synchronized with a product.
● Product package can follow different timeline deadlines then SELinux policy package, this can cause issues and customer can get new product package version without necessary changes in SELinux policy and this can block some functionality of a product.
![Page 36: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/36.jpg)
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Creating_Own_Product_Policies
![Page 37: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/37.jpg)
Independent SELinux policy module
![Page 38: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/38.jpg)
● Write own SELinux policy from scratch and ask SELinux team for policy review. Note that a guide how to write an SELinux policy from the scratch is not a part of this workshop (See the Generating SELinux Policy Modules: sepolicy generate section in the SELinux Guide).
● Extract an SELinux policy from a distribution policy package. The Git repository with distribution policies is located on github.com/fedora-selinux/selinux-policy and github.com/fedora-selinux/selinux-policy-contrib.
![Page 39: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/39.jpg)
Agreement workflow
![Page 40: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/40.jpg)
Before you start with shipping own product policies, let the Red Hat SELinux team know about your intentions.To do this, use Fedora mailing list or contact SELinux policy maintainer:
● SELinux Policy maintainer● [email protected]
![Page 41: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/41.jpg)
Git Repository setup
![Page 42: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/42.jpg)
# Create directory to contain the project$ mkdir myapp-selinux$ cd myapp-selinux# initialize git repository$ git init# Push git repository to remote e.g. to github.com$ git remote add origin [email protected]:username/myapp-selinux$ git push -u origin master
![Page 43: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/43.jpg)
Preparing sources for the Policy Git Repository
![Page 44: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/44.jpg)
● License○ A Git repository should not contain only SELinux policy source files, but also a license. For more information how to add an open
source license in your repository, see the Adding a license to a repository article on the GitHub Help. Distribution policies have GPL license, so any policy extracted from Distribution policy must have GPL compatible license.
● Makefile○ https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Creating_Own_Product_Policies○ In section Makefile
● Policy source○ Type enforcement file (*.te)○ File contexts file (*.fc)○ Interface file (*.if)
$ lsMakefile myapp.fc myapp.if myapp.te LICENSE
![Page 45: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/45.jpg)
$ makemake -f /usr/share/selinux/devel/Makefile myapp.ppmake[1]: Entering directory '/home/lvrabec/devel/documentations/examples'Compiling targeted myapp module/usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp/usr/bin/checkmodule: policy configuration loaded/usr/bin/checkmodule: writing binary representation (version 17) to tmp/myapp.modCreating targeted myapp.pp policy packagerm tmp/myapp.mod.fc tmp/myapp.modmake[1]: Leaving directory '/home/lvrabec/devel/documentations/examples'Compressing myapp.pp -> myapp.pp.bz2bzip2 -9 myapp.pp
![Page 46: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/46.jpg)
$ cd ../$ tar -czf myapp-selinux.tar.gz myapp-selinux/
![Page 47: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/47.jpg)
SELinux policy is ready!
![Page 48: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/48.jpg)
Creating spec file
![Page 49: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/49.jpg)
Spec file will be described on the Independent Policy wiki page:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Creating_Own_Product_Policies
![Page 50: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/50.jpg)
Setting booleans During a package installation
![Page 51: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/51.jpg)
Usage of booleans in a .spec file follows these rules:● If a boolean mentioned in the product .spec file is not set by user previously, it will be changed in the %post
install phase and during the %post uninstall phase will be reverted.● If a boolean mentioned in the product .spec file was set by user previously, it will be changed to a value from
this file. However, during the uninstallation of a product SELinux subpackage, it will not be reverted.
![Page 52: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/52.jpg)
Port labelling during a package installation
![Page 53: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/53.jpg)
if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files %{_sbindir}/semanage port -a -t product_port_t -p tcp 1111fi
![Page 54: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/54.jpg)
Move your SELinux product policy sources to the proper destination:
$ cp myapp-selinux.tar.gz ~/rpmbuild/SOURCES/
Build your product (sub)package with an own SELinux policy:
# rpmbuild -ba myapp-selinux.spec
![Page 55: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/55.jpg)
Removing an Own Product Policy from the System
Policy
![Page 56: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/56.jpg)
When is your own product SELinux subpackage ready for a release, contact the SELinux policy maintainer. He should remove a product policy from the SELinux distribution policy and update the package. A product maintainer should add dependency for the selinux-policy package:
# Version of selinux-policy when product policy was removed%global selinux_policyver POLICY_VERSIONRequires: selinux-policy >= %{selinux_policyver}
![Page 57: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/57.jpg)
How can I create Fedora module with custom SELinux module?
![Page 58: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/58.jpg)
![Page 59: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/59.jpg)
Module streams
![Page 60: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/60.jpg)
Define how to build the module
![Page 61: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/61.jpg)
Decide what to ship
![Page 62: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/62.jpg)
Specify how to use
![Page 63: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/63.jpg)
Miroslav Grepl’s blog https://mgrepl.wordpress.com/Paul Moore’s blog http://www.paul-moore.com/Lukas Vrabec’s blog https://lukas-vrabec.com/Dan Walsh’s blog http://danwalsh.livejournal.com/
QUESTIONS?
![Page 64: SELinux from Developer - LinuxDays · SELinux policy will be always synchronized with a product. Product package can follow different timeline deadlines then SELinux policy package,](https://reader031.vdocuments.mx/reader031/viewer/2022022014/5b49df027f8b9aac238bbe7d/html5/thumbnails/64.jpg)
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews