Greetings, I was looking for directions about how would an ISV rool own policy for the packages it ships. A very basic and step-by-step tutorial, for tiny minds :-)
Thank you for your consideration, Davide Bolcioni
On Wed, 27 Apr 2005 14:53:25 +0200, Davide Bolcioni wrote:
Greetings, I was looking for directions about how would an ISV rool own policy for the packages it ships. A very basic and step-by-step tutorial, for tiny minds :-)
I don't think there is any such document. Right now you can't distribute policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at least that's the impression I got last time I talked to the author
- There are no formal policy compatibility ... er ... policies, between distributions as far as I'm aware. So the meaning of a given bit of policy might change depending on the distributions specific implementation.
What exactly are your goals? Do you want to lock down your own program or is this more about compatibility?
I'm pretty interested in letting Linux software developers ship policy as part of their own binary packages to allow for better lockdown/least priv on systems that support it but I don't think the technology is there yet.
thanks -mike
Mike Hearn wrote:
I don't think there is any such document. Right now you can't distribute policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at least that's the impression I got last time I talked to the author
Maybe I'm so badly in need of a tutorial as to be unable to express my question, see below.
- There are no formal policy compatibility ... er ... policies, between distributions as far as I'm aware. So the meaning of a given bit of policy might change depending on the distributions specific implementation.
That's part of what I would be looking for. How would I find out about the policies in effect ?
What exactly are your goals? Do you want to lock down your own program or is this more about compatibility?
The initial goal is compatibility: ship a possibly distribution-specific package which works regardless of whether the customer uses no selinux, the targeted policy or the strict policy. Making it policy-specific would be ugly, as I would get a combinatorial explosion of .rpm packages to ship.
I realize that it might not be possible to do that just at the packaging level, i.e. that changes might be necessary upstream, but I am currently unable to tell which changes are appropriate for the packaging stage and which would impact the code.
Once that goal is achieved, being able to lock down the software would be the next step; I guess that a less than cursory knowledge of SELinux would be necessary to do that, however.
I'm pretty interested in letting Linux software developers ship policy as part of their own binary packages to allow for better lockdown/least priv on systems that support it but I don't think the technology is there yet.
Well, maybe the technology is not there but it hurts already: we currently have code which does not work because of selinux. It is old code which we are more interested in phasing out than supporting, but we would like not to get bitten in the future.
Thank you for your consideration, Davide Bolcioni
This string of messages brings up something I wanted to get a conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in the future. ( I think the future is now.) I see three people providing policy.
1. OS Provider with base policy. (It would also be nice if the base policy got broken into several policies and only the policy of the running service would be loaded. If we got to this state we would need a new mechanism for restoring file context since file_context might not meet the currently loaded policy.
2. Third Party application developers. As the use of targeted policy has begun to take off, Third Party ISV have started to question how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
3 Local User customization and minor policies. Currently we have people using audit2allow creating files in domains/misc and then reloading policy. We need a mechanism for users to be able to do this without recompiling policy. Also more significantly how do we handle the small diffed apache_domain stuff. A couple of months ago I redesigned apache policy to have a macro called apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ) Followed by a few allow rules and be able to get their cgi scripts working without turning off apache protection or running their script in httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and muck around. I think we to have some shared library mechanism where a few well known macros could be defined and users could easily build their own custom policy.
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
Dan
Dan
El jue, 28-04-2005 a las 11:54 -0400, Daniel J Walsh escribió:
The problem is the only way to do this is to install policy sources and muck around. I think we to have some shared library mechanism where a few well known macros could be defined and users could easily build their own custom policy.
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
I've been thinking on it when working on the SELinux deployment within Ubuntu Linux, and binary policies are something pretty handy for binary packages-based distributions, among the general benefit they provide.
I might be able to work on something, but I would like to know first how many people is interested in this and how many of them would be able to contribute to it in the long term.
The idea I thought about is something like the one shown in the diagram at http://pearls.tuxedo-es.org/selinux/diagrams/selinux-binary-policies-1.png
Cheers,
On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro wrote:
I've been thinking on it when working on the SELinux deployment within Ubuntu Linux, and binary policies are something pretty handy for binary packages-based distributions, among the general benefit they provide.
I might be able to work on something, but I would like to know first how many people is interested in this and how many of them would be able to contribute to it in the long term.
Tresys Technology already has a working implementation of binary policy modules, including a module abstraction with a dependency model, a compiler for generating such modules, and a linker for linking them together with a "base module". Planned for upstreaming after FC4. See their prior posts to the selinux list or their web site for info.
-----Original Message----- From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Stephen Smalley Sent: Thursday, April 28, 2005 1:52 PM To: Lorenzo Hernández García-Hierro Cc: Daniel J Walsh; Davide Bolcioni; fedora-selinux-list@redhat.com; SELinux Subject: Re: Is there a SELinux tutorial for ISVs ?
On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro wrote:
I've been thinking on it when working on the SELinux deployment within Ubuntu Linux, and binary policies are something pretty handy for binary packages-based distributions, among the general benefit they provide.
I might be able to work on something, but I would like to know first how many people is interested in this and how many of them would be able to contribute to it in the long term.
Tresys Technology already has a working implementation of binary policy modules, including a module abstraction with a dependency model, a compiler for generating such modules, and a linker for linking them together with a "base module". Planned for upstreaming after FC4. See their prior posts to the selinux list or their web site for info.
This and the reference policy work I just mentioned in another email. As we work on upstreaming the binary modules we are going to need feedback / testing - if you are interested in this area I would greatly appreciate any help you can give.
Thanks,
Karl
--- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134
-- Stephen Smalley sds@tycho.nsa.gov National Security Agency
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
-----Original Message----- From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Daniel J Walsh Sent: Thursday, April 28, 2005 11:55 AM To: Davide Bolcioni Cc: fedora-selinux-list@redhat.com; SELinux Subject: Re: Is there a SELinux tutorial for ISVs ?
This string of messages brings up something I wanted to get a conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in the future. ( I think the future is now.) I see three people providing policy.
- OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy of the running service would be loaded. If we got to this state we would need a new mechanism for restoring file context since file_context might not meet the currently loaded policy.
In the binary policy work, the base is simply a binary module that is fully self-contained to guarantee that there will be an internally consistent / coherent policy at all times. That policy can be arbitrarily small, however.
As for only enabling policy for certain services I see three options:
1) Policy for all services is always loaded (current practice). 2) Policy for services that are installed is always loaded. 3) Policy for services that are installed is loaded on service start.
1 is obviously problematic because of wasted resources and privileged application domains being present when they should not be (not to mention 3rd party policy). We considered 3 when we started the binary module work, but decided that it was too complicated with little benefit. Additionally, I think that it is _very_ desirable to limit relabeling as much as possible. It is error prone and risky in terms of security.
2 is what we are targeting. The installation of a new service in the model I am proposing would
1) Install the binary policy module to a place on the filesystem managed by RPM (for example /etc/selinux/policy-name/installed-modules).
2) Load the policy by installing it with semodule (semodule -i policy.pp - .pp is for policy package which is the binary policy and file contexts). This will install the module into a managed location (for example /etc/selinux/policy-name/active-modules) and load it into the kernel.
3) RPM would then label files as it installs the application.
The binary module infrastructure also always creates a complete file_context like the current system, so that can be used for whatever labeling needs to be done.
- Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
That is the plan - we are porting the recent changes to libsepol/libselinux/checkpolicy to our tree and will start upstreaming the binary policy work soon. I am targeting getting this integrated by June.
3 Local User customization and minor policies. Currently we have people using audit2allow creating files in domains/misc and then reloading policy. We need a mechanism for users to be able to do this without recompiling policy. Also more significantly how do we handle the small diffed apache_domain stuff. A couple of months ago I redesigned apache policy to have a macro called apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ) Followed by a few allow rules and be able to get their cgi scripts working without turning off apache protection or running their script in httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and muck around. I think we to have some shared library mechanism where a few well known macros could be defined and users could easily build their own custom policy.
We are actively working on what we are calling reference policy. This attempts to create just such a 'shared library' mechanism among other goals. On the source level it creates abstractions in the form of layers and modules. Each module, which contains the policy for a well-defined functional area, exports a set of interfaces - macros that allow access to its resources.
I have attached a presentation that we recently did on this project, which may give you an idea of what we are trying to accomplish. I will get this on our web page soon. Also, we are starting a sourceforge project for this that will be up soon. We are making rapid progress on this and can release the policies that we have done so far when the project set up. If anyone would like to see what we have let me know and I will get you a tarball off list.
I think that the next step is to add the interface idea to the underlying binary module language so that external policies can start being dependent not on types but interfaces. If these stabilize enough it should be possible to write to this abstraction layer and have a single binary module work across many base policies.
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
I agree. We are trying to tackle these problems, but need input about exactly what people need.
--- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134
Dan
Dan
--
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
-----Original Message----- From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Daniel J Walsh Sent: Thursday, April 28, 2005 11:55 AM To: Davide Bolcioni Cc: fedora-selinux-list@redhat.com; SELinux Subject: Re: Is there a SELinux tutorial for ISVs ?
This string of messages brings up something I wanted to get a conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in the future. ( I think the future is now.) I see three people providing policy.
- OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy of the running service would be loaded. If we got to this state we would need a new mechanism for restoring file context since file_context might not meet the currently loaded policy.
In the binary policy work, the base is simply a binary module that is fully self-contained to guarantee that there will be an internally consistent / coherent policy at all times. That policy can be arbitrarily small, however.
As for only enabling policy for certain services I see three options:
1) Policy for all services is always loaded (current practice). 2) Policy for services that are installed is always loaded. 3) Policy for services that are installed is loaded on service start.
1 is obviously problematic because of wasted resources and privileged application domains being present when they should not be (not to mention 3rd party policy). We considered 3 when we started the binary module work, but decided that it was too complicated with little benefit. Additionally, I think that it is _very_ desirable to limit relabeling as much as possible. It is error prone and risky in terms of security.
2 is what we are targeting. The installation of a new service in the model I am proposing would
1) Install the binary policy module to a place on the filesystem managed by RPM (for example /etc/selinux/policy-name/installed-modules).
2) Load the policy by installing it with semodule (semodule -i policy.pp - .pp is for policy package which is the binary policy and file contexts). This will install the module into a managed location (for example /etc/selinux/policy-name/active-modules) and load it into the kernel.
3) RPM would then label files as it installs the application.
The binary module infrastructure also always creates a complete file_context like the current system, so that can be used for whatever labeling needs to be done.
- Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
That is the plan - we are porting the recent changes to libsepol/libselinux/checkpolicy to our tree and will start upstreaming the binary policy work soon. I am targeting getting this integrated by June.
3 Local User customization and minor policies. Currently we have people using audit2allow creating files in domains/misc and then reloading policy. We need a mechanism for users to be able to do this without recompiling policy. Also more significantly how do we handle the small diffed apache_domain stuff. A couple of months ago I redesigned apache policy to have a macro called apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ) Followed by a few allow rules and be able to get their cgi scripts working without turning off apache protection or running their script in httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and muck around. I think we to have some shared library mechanism where a few well known macros could be defined and users could easily build their own custom policy.
We are actively working on what we are calling reference policy. This attempts to create just such a 'shared library' mechanism among other goals. On the source level it creates abstractions in the form of layers and modules. Each module, which contains the policy for a well-defined functional area, exports a set of interfaces - macros that allow access to its resources.
There is a presentation that we did on this work available at http://tresys.com/Downloads/selinux_dev/reference-policy.pdf, which may give you an idea of what we are trying to accomplish. Also, we are starting a sourceforge project for this that will be up soon. We are making rapid progress on this and can release the policies that we have done so far when the project set up. If anyone would like to see what we have let me know and I will get you a tarball off list.
I think that the next step is to add the interface idea to the underlying binary module language so that external policies can start being dependent not on types but interfaces. If these stabilize enough it should be possible to write to this abstraction layer and have a single binary module work across many base policies.
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
I agree. We are trying to tackle these problems, but need input about exactly what people need.
--- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134
Dan
Dan
--
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as
the message.
On Thu, 28 Apr 2005 11:54:30 -0400, Daniel J Walsh wrote:
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
Sorry for posting so late ... one thing I'd also like to see is some formal rules for policy compatibility. For instance, if FC4 ships and says "Shared libraries with text relocations are no longer allowed by default" then this breaks things. If FC5 ships and now you need special tagging to connect to the X server, well ....
(I don't know if this has actually happened or not yet but it seems to keep coming up)
It may be decided that it's an acceptable price to pay for the additional security, or it may not. I don't think that discussion should happen now. But I think ISVs would feel a lot more secure if this sort of decision appeared not to be arbitrary and if there was some way to plan and work with the OS base policy writers.
A basic system could be to have widely adopted (cross-distro) and documented security levels, ie:
Level 1: Basic targetted - optin, only affects daemons, no restrictions on anything else
Level 2: Targetted + additional restrictions, execshield enabled (ie this is not just an SELinux thing), apps which require special privs must have custom policy
Level 3: Strict
or something similar to that. This means users can adjust their security level to adapt to what programs they run, and ISVs can say "Minimum Requirements: Level 2 or lower security level".
thanks -mike
Mike Hearn wrote:
On Thu, 28 Apr 2005 11:54:30 -0400, Daniel J Walsh wrote:
Anyways I think we need more discussion on handling third party and user customization of policy outside of the current make tree stuff.
Sorry for posting so late ... one thing I'd also like to see is some formal rules for policy compatibility. For instance, if FC4 ships and says "Shared libraries with text relocations are no longer allowed by default" then this breaks things. If FC5 ships and now you need special tagging to connect to the X server, well ....
The goal is to not change the fundamental securitylevel on policy/kernel updates. If it does there is a bug in policy. Now we will be adding additional booleans in order to allow users to increase the securitylevel. So if a kernel gets added to a shipping OS (FC3/RHEL4) that supports an additional access check, we need to allow this by default. Same goes with adding additional policy rules. For example, I am trying to update the FC3/RHEL4 targeted policy with the improvements made in rawhide. Any new booleans need to default to true.
(I don't know if this has actually happened or not yet but it seems to keep coming up)
It may be decided that it's an acceptable price to pay for the additional security, or it may not. I don't think that discussion should happen now. But I think ISVs would feel a lot more secure if this sort of decision appeared not to be arbitrary and if there was some way to plan and work with the OS base policy writers.
A basic system could be to have widely adopted (cross-distro) and documented security levels, ie:
Level 1: Basic targetted - optin, only affects daemons, no restrictions on anything else
Level 2: Targetted + additional restrictions, execshield enabled (ie this is not just an SELinux thing), apps which require special privs must have custom policy
This is what booleans are for.
Level 3: Strict
or something similar to that. This means users can adjust their security level to adapt to what programs they run, and ISVs can say "Minimum Requirements: Level 2 or lower security level".
thanks -mike
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2005-05-09 at 11:32 -0400, Daniel J Walsh wrote:
The goal is to not change the fundamental securitylevel on policy/kernel updates [ ... ] Any new booleans need to default to true.
Hmm, so if I understand correctly then it's actually very possible that updates/new distro versions will be shipped that deny things that were previously allowed by default, as long as there is a boolean to switch them off?
That sounds like by default every time you upgrade, programs might break. There must be a better way to deal with this.
This is what booleans are for.
Booleans are just an implementation mechanism, what is needed is some simple (end-user understandable) means for ISVs to communicate what permissions their software needs - possibly for old versions of their software that don't work with new policy.
Usability-wise it's not OK to put:
"This software requires that the SELinux 'foo', 'bar', 'xyz' booleans be set to false".
This is asking too much of the user, especially as there should ideally be some easy way to apply more relaxed policy to an individual program if it can't cope with the system defaults. Booleans for individual programs is just too complicated.
I suggested a level system because (I think) it's reasonable to expect end users to deal with statements like "This program cannot run with security level 3 or higher". Whereas it's not reasonable to expect people to be able to adjust things at a finer level of detail than that.
thanks -mike
Mike Hearn wrote:
On Mon, 2005-05-09 at 11:32 -0400, Daniel J Walsh wrote:
The goal is to not change the fundamental securitylevel on policy/kernel updates [ ... ] Any new booleans need to default to true.
Hmm, so if I understand correctly then it's actually very possible that updates/new distro versions will be shipped that deny things that were previously allowed by default, as long as there is a boolean to switch them off?
That sounds like by default every time you upgrade, programs might break. There must be a better way to deal with this.
This is what booleans are for.
Booleans are just an implementation mechanism, what is needed is some simple (end-user understandable) means for ISVs to communicate what permissions their software needs - possibly for old versions of their software that don't work with new policy.
No. If you update policy or kernel or any other componant of SELinux, things should work as they did before. Anything that breaks is a bug.
Usability-wise it's not OK to put:
"This software requires that the SELinux 'foo', 'bar', 'xyz' booleans be set to false".
We attempt to set a reasonable relaxness around the policy. So most booleans are set to allow users full access.
Advanced users may want to turn up the security. So if a user wants to be able to turn off apache's ability to run cgi scripts. They can set httpd_enable_cgi=0. The default will be allow cgi scripts.
This is asking too much of the user, especially as there should ideally be some easy way to apply more relaxed policy to an individual program if it can't cope with the system defaults. Booleans for individual programs is just too complicated.
Agreed, that is why we ship with a relaxed policy where reasonable.
I suggested a level system because (I think) it's reasonable to expect end users to deal with statements like "This program cannot run with security level 3 or higher". Whereas it's not reasonable to expect people to be able to adjust things at a finer level of detail than that.
thanks -mike
On Mon, 09 May 2005 17:25:53 BST, Mike Hearn said:
Hmm, so if I understand correctly then it's actually very possible that updates/new distro versions will be shipped that deny things that were previously allowed by default, as long as there is a boolean to switch them off?
That sounds like by default every time you upgrade, programs might break. There must be a better way to deal with this.
Hey. At least we're giving them a boolean. There's lots of stuff that gets ripped out and breaks stuff (see Documentation/feature-removal-schedule.txt for what's currently on the chopping block.
Try installing a recent RedHat system without udev - that requires more work than just a boolean to work around. ;)
Mike Hearn wrote:
I don't think there is any such document. Right now you can't distribute policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at least that's the impression I got last time I talked to the author
Maybe I'm so badly in need of a tutorial as to be unable to express my question, see below.
- There are no formal policy compatibility ... er ... policies, between distributions as far as I'm aware. So the meaning of a given bit of policy might change depending on the distributions specific implementation.
That's part of what I would be looking for. How would I find out about the policies in effect ?
What exactly are your goals? Do you want to lock down your own program or is this more about compatibility?
The initial goal is compatibility: ship a possibly distribution-specific package which works regardless of whether the customer uses no selinux, the targeted policy or the strict policy. Making it policy-specific would be ugly, as I would get a combinatorial explosion of .rpm packages to ship.
I realize that it might not be possible to do that just at the packaging level, i.e. that changes might be necessary upstream, but I am currently unable to tell which changes are appropriate for the packaging stage and which would impact the code.
Once that goal is achieved, being able to lock down the software would be the next step; I guess that a less than cursory knowledge of SELinux would be necessary to do that, however.
I'm pretty interested in letting Linux software developers ship policy as part of their own binary packages to allow for better lockdown/least priv on systems that support it but I don't think the technology is there yet.
Well, maybe the technology is not there but it hurts already: we currently have code which does not work because of selinux. It is old code which we are more interested in phasing out than supporting, but we would like not to get bitten in the future.
Thank you for your consideration, Davide Bolcioni
On Thu, 28 Apr 2005 10:20:55 +0200, Davide Bolcioni wrote:
That's part of what I would be looking for. How would I find out about the policies in effect ?
You can review their sources.
The initial goal is compatibility: ship a possibly distribution-specific package which works regardless of whether the customer uses no selinux, the targeted policy or the strict policy. Making it policy-specific would be ugly, as I would get a combinatorial explosion of .rpm packages to ship.
OK. What exactly broke your app? Targetted isn't supposed to interfere with most programs (except that sometimes that doesn't seem to be the case, I'm still researching this too!). So you should be able to ignore that. It may be that the shlib_textrel_t thing got you, so far that's the only part of targetted I know about which isn't actually backwards compatible.
As for strict policy, well I don't know what the default there is. I guess the default is "deny everything" so every program needs policy to work but I don't know for sure. I don't think many people run strict right now though.
Until binary policy is implemented though I am not sure you can ship policy in RPMs. It has to be in the central policy as a patch and you can then mark the files with the right contexts. You (hopefully) shouldn't need any custom policy though.
thanks -mike
Mike Hearn wrote:
You can review their sources.
I meant programmatically but never mind, I got the message that we're not quite there yet.
OK. What exactly broke your app? Targetted isn't supposed to interfere with most programs (except that sometimes that doesn't seem to be the case, I'm still researching this too!). So you should be able to ignore that. It may be that the shlib_textrel_t thing got you, so far that's the only part of targetted I know about which isn't actually backwards compatible.
The app is a Web application which includes a proprietary CGI executable, but in the targeted policy only appropriately-labeled CGI get run. Having the CGI not sit in cgi-bin probably adds to the pain, I guess. I found out how to disable SELinux protection for Apache, but that kind of defeats the purpose and does not help customer relationships.
Until binary policy is implemented though I am not sure you can ship policy in RPMs. It has to be in the central policy as a patch and you can then mark the files with the right contexts. You (hopefully) shouldn't need any custom policy though.
Another message suggested that FC5 is likely to be the target for the stuff I am grasping at.
Thank you for your consideration, Davide Bolcioni
On Wed, 2005-04-27 at 14:53 +0200, Davide Bolcioni wrote:
Greetings, I was looking for directions about how would an ISV rool own policy for the packages it ships. A very basic and step-by-step tutorial, for tiny minds :-)
Nothing quite fits the bill as you describe it, but nonetheless have a look at the links under 'Documentation' at: http://selinux.sourceforge.net/resources.php3
In particular: 1) There are some (outdated) HOWTOs on the sourceforge site, http://sourceforge.net/docman/?group_id=21266
2) There is a RHEL4 SELinux Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
3) There is a NSA technical report, http://www.nsa.gov/selinux/papers/policy2/t1.html
4) There is a published book, http://www.oreilly.com/catalog/selinux/
5) There is a course, http://www.tresys.com/selinux/selinux-course-outline.html
Of course, as others have noted, we don't yet have the infrastructure in place for distributing package policies effectively. Binary policy module support should be in FC5 (not FC4).
selinux@lists.fedoraproject.org