From 2e02c86dce850f5b3807789caa1df1e4c2201fa0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Jun 16 2020 15:56:38 +0000
Subject: Add new sections about backwards compatiblity


- Add "Backwards compatibility"
  and "Moving type/attribute/alias definitions" sections
- Improve "Setting Booleans During Installation"
- Fix minor issues in example spec files

(please "fixup" this commit before accepting the pull request)

---

diff --git a/guidelines/modules/ROOT/examples/selinux/interface-compatibility-block.if b/guidelines/modules/ROOT/examples/selinux/interface-compatibility-block.if
new file mode 100644
index 0000000..29a0211
--- /dev/null
+++ b/guidelines/modules/ROOT/examples/selinux/interface-compatibility-block.if
@@ -0,0 +1,31 @@
+########################################
+# 
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+########################################
+## <summary>
+##    Allow caller to signull sssd.
+##    Backport from RHEL8
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+ifndef(`sssd_signull',`
+  interface(`sssd_signull',`
+      gen_require(`
+          type sssd_t;
+      ')
+
+      allow $1 sssd_t:process signull;
+  ')
+')
+
diff --git a/guidelines/modules/ROOT/examples/selinux/myapp-selinux-edit.spec b/guidelines/modules/ROOT/examples/selinux/myapp-selinux-edit.spec
index e581998..5088f55 100644
--- a/guidelines/modules/ROOT/examples/selinux/myapp-selinux-edit.spec
+++ b/guidelines/modules/ROOT/examples/selinux/myapp-selinux-edit.spec
@@ -37,9 +37,9 @@ Custom SELinux policy module
 # SELinux policy (originally from selinux-policy-contrib)
 # this policy module will override the production module
 mkdir selinux
-cp -p %{SOURCE18} selinux/
-cp -p %{SOURCE19} selinux/
-cp -p %{SOURCE20} selinux/
+cp -p %{SOURCE2} selinux/
+cp -p %{SOURCE3} selinux/
+cp -p %{SOURCE4} selinux/
 
 make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
 bzip2 -9 %{name}.pp
@@ -77,4 +77,4 @@ fi
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
-%endif # if with_selinux
\ No newline at end of file
+%endif # if with_selinux
diff --git a/guidelines/modules/ROOT/examples/selinux/myapp-selinux.spec b/guidelines/modules/ROOT/examples/selinux/myapp-selinux.spec
index f9f1c7c..afb230e 100644
--- a/guidelines/modules/ROOT/examples/selinux/myapp-selinux.spec
+++ b/guidelines/modules/ROOT/examples/selinux/myapp-selinux.spec
@@ -29,7 +29,7 @@ make
 
 %install
 # install policy modules
-install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 
 %check
 
@@ -51,4 +51,4 @@ fi
 
 %changelog
 * Mon Jan 01 2017 Author Name <Author@mail-example.com> - 0.1.0-1
-- First Build
\ No newline at end of file
+- First Build
diff --git a/guidelines/modules/ROOT/pages/SELinuxDecentralizedPolicy.adoc b/guidelines/modules/ROOT/pages/SELinuxDecentralizedPolicy.adoc
index 71bea69..feda2d2 100644
--- a/guidelines/modules/ROOT/pages/SELinuxDecentralizedPolicy.adoc
+++ b/guidelines/modules/ROOT/pages/SELinuxDecentralizedPolicy.adoc
@@ -117,6 +117,59 @@ or submit a pull request.
 Please bear in mind that such changes will influence other policy modules
 that use given interface.
 
+=== Backwards compatibility
+
+The most common problem with using custom policies
+on older distributions is undefined interfaces.
+
+....
+Compiling targeted nagios module
+selinux/nagios.te:374:ERROR 'syntax error' at token 'sssd_signull' on line 19406:
+    sssd_signull(nrpe_t)
+....
+
+This issue can be resolved by conditionally defining the missing interface.
+To do this, find definition of the missing interface in
+https://github.com/fedora-selinux/selinux-policy-contrib[SELinux-policy-contrib]
+or
+https://github.com/fedora-selinux/selinux-policy[SELinux-policy]
+repository, copy it to your interface file and enclose in an _ifndef_
+statement.
+
+Example using _sssd_signull_ (necessary to use this interface in epel8):
+
+.myapp.if
+[source]
+----
+include::{examplesdir}/selinux/interface-compatibility-block.if[]
+----
+
+=== Moving type/attribute/alias definitions
+
+Whenever a type,attribute or alias definition is moved between modules
+(this is usually done when two modules are merged together,
+or some distinct part of a policy is moved to a separate module)
+maintainers should include the following steps in the custom policy installation:
+
+* Disable the distribution version of affected module(s) before calling
+`%selinux_modules_install`
+** `semodule -d &> /dev/null || true;`
+* Re-enable the original policy modules after
+`%selinux_modules_uninstall`
+** `semodule -e &> /dev/null || true;`
+
+These steps are necessary to avoid type, attribute or alias redefinition errors,
+which may cause the custom package installation to fail.
+Example of such error:
+
+....
+Running scriptlet: freeipa-selinux-4.8.6-1.fc33.noarch                            2/4
+Re-declaration of type ipa_custodia_t
+Failed to create node
+Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
+/usr/sbin/semodule:  Failed!
+....
+
 [[file-contexts]]
 === File contexts and equivalency rules
 
@@ -229,7 +282,7 @@ Therefore the following rich dependency syntax should be used:
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
 ....
 
-This ensures that the *-selinux package and all it's dependencies
+This ensures that the *-selinux package and all its dependencies
 are not pulled into containers and other systems that do not use SELinux.
 
 
@@ -273,18 +326,13 @@ for more details about module priority.
 [[setting-booleans-during-installation]]
 === Setting Booleans During Installation
 
-In some cases, it is necessary to enable or disable booleans
-defined in a system security policy.
-This change should be done during the installation phase
-of the SELinux package and it should also follow a couple of rules.
-
 WARNING: Setting generic booleans can open security holes in the system!
 
-To change system booleans, use the following steps:
+In some cases, it is necessary to enable or disable booleans
+defined in the system security policy.
+Maintainers should use the following steps to do so:
 
-* Find a boolean that fits your needs best.
-Try to avoid generic booleans, which allow many things
-and their change could bring security holes to the system.
+* Find a boolean that best fits your needs while avoiding generic booleans if possible (additional access in the custom policy module is preferred to switching a boolean that impacts other policy modules).
 
 * Specify booleans in the following format in the .spec file:
 +