Ship Midgard with SELinux policy files

It would require working on the actual platforms to make the policy modules for all the distributions and for all of their policies.

For Fedora based distributions (Fedora, Red Hat Enterprise Linux, CentOS etc.) this can be done by me.

There are three policies currently in Fedora: strict, targeted and mls. I'm thinking perhaps we could first settle for having a working targeted policy module because that's the one we really desperately need (because Fedora based distributions ship with SELinux targeted policy enabled by default)...

(In [20395]) SELinux targeted policy files for Fedora based distributions, refs #538

(In [20940]) Add Fedora related files to make dist, refs #538

In my opinion this ticket should be taken as "make policy modules for all distribution policies which are enabled by default". And as far as I know it, Fedora's targeted policy is the only one which is enabled by default.

Supporting the default distribution settings is kind of important (as without having this Midgard doesn't work without knowledge of how to tweak the SELinux configuration), so I'm raising the priority of this ticket.

<bergie> jval: feel free to edit the ticket and close it :-)

Ok. So I'm taking this ticket as I told above. Which means basically this ticket is now fixed.

(In [20951]) Add spec files based on Fedora Packaging Guidelines. Fixes #941, refs #538

Now we have Fedora/EL SELinux targeted policy source files as well as Fedora/EL RPM spec files which handle the SELinux targeted policy out-of-the-box (you can create binary rpms from those if you have a Fedora based OS like Fedora >= ?, RHEL >= 5 or CentOS >= 5).

It would be nice if the OBS binaries would also handle the Fedora/EL SELinux targeted policy out-of-the-box. But that's another issue and I've created a general ticket #943 about that.

Closing this ticket now as fixed.

Oh I've made a mistake by adding the SELinux files to mod_midgard. The whole policy (e.g. file contexts) reflects the way how datagard configures the system so clearly the policy should be shipped with midgard-data instead of mod_midgard.

I need to change that to keep things consistent...

(In [21043]) Move the SELinux policy files from mod_midgard to midgard-data, refs #538

(In [21044]) Remove the selinux subpackage. Refs #538, refs #941

(In [21051]) Rename the SELinux policy module from modmidgard to midgard, refs #538

(In [21054]) Add the selinux subpackage. Fixes #538, refs #941

(In [21059]) Add versioned selinux-policy dependency to ensure binary compatibility. Refs #941, refs #538

(In [21060]) Fix the changelog dates to reflect the latest change dates. Refs #941, refs #538

(In [21063]) Simplify package names and dependencies. Refs #941, refs #538

(In [23264]) Allow midgard-data-selinux to be older than midgard-data and move its dependency to midgard-cms-server. Refs #941, refs #538

(In [23265]) Forgot to keep midgard-data dependency in midgard-cms, fixing now. Refs #941, refs #538

Replying to jval:

Now we have Fedora/EL SELinux targeted policy which handle the SELinux targeted policy out-of-the-box It would be nice if the OBS binaries would also handle the Fedora/EL SELinux targeted policy out-of-the-box. But that's another issue and I've created a general ticket #943 about that.

#943 is now implemented which means Midgard supports SELinux now fully. Which in turns means you don't have to worry about SELinux when installing Midgard on Fedora/EL. Just use the rpms and it just works. :)

(In [24835]) Add memcached support to the midgard selinux policy module. Updated midgard.pp from 1.0.0 to 1.1.0 in the midgard-data-selinux OBS package. Refs #538, refs #941, #refs #943