Place a copy of "example_tests-DSP.yml" into the resulting package distgit "tests" repository to test for potentially dangerous policy issues (we recommend renaming it to "tests-DSP.yml", but anything that fits "tests*.yml" will work). The environment section needs to be configured to your package and the package also needs to be added to required_packages. Example environment configurations: ------------------------------------------------------------------------------- Zabbix - policy sources are placed directly in distgit (hence POLICY_TAR: '' ) https://src.fedoraproject.org/rpms/zabbix/pull-request/4 TEST_RPM: zabbix-selinux TEST_POLICY: zabbix POLICY_TAR: '' POLICY_PATH: . ------------------------------------------------------------------------------- Freeipa - policy sources live in freeipa upstream (in 'selinux' directory) https://src.fedoraproject.org/rpms/freeipa/tree/master TEST_RPM: freeipa-selinux TEST_POLICY: ipa POLICY_TAR: 'freeipa-*.tar.gz' POLICY_PATH: 'freeipa-*/selinux' ------------------------------------------------------------------------------- USBGuard - policy sources are stored in separate repository (separate tar.gz) https://src.fedoraproject.org/rpms/usbguard/tree/master TEST_RPM: usbguard-selinux TEST_POLICY: usbguard POLICY_TAR: 'usbguard-selinux*.tar.gz' POLICY_PATH: 'usbguard-selinux*' ------------------------------------------------------------------------------- Debugging test results "Unsound/dangerous policy practices" section is based on [1], where you can find more details about each issue and suggestions for possible causes. Policy rules flagged by this part of the test can be waived using IGNORE_RULES variable in testing-DSP.yml file (this has to be agreed upon with the SELinux team). Example: IGNORE_RULES: >- nagios_script_t:system_map_t:file nagios_script_t:boot_t:dir For more details about "SELint static analysis" section, see [2]. Most issues generated by SELint can be fixed by tweaking the custom policy sources, but in rare cases it may be necessary to also update the distribution policy (e.g. add a new interface). In such case you can temporarily (until the necessary change in distribution policy is merged) disable given check by including the following comment at the end of the line causing the issue: #selint-disable:<ISSUE-ID> You can find the ISSUE-ID et the end of each SELint message. [1] https://fedoraproject.org/wiki/SELinux/Unsound_or_dangerous_SELinux_policy_practices [2] https://github.com/TresysTechnology/selint