How can I determine which rpm installs the module which defines an SELinux type?

Question

My package needs to set up some SELinux rules to allow my program access to certain things. Although I know which types I need to use in setting up the rules, I'm not sure which packages install those types. I would like to make sure that my package has dependencies on the SELinux types I reference. Is there a way I can find out which package was responsible for installing a given SELinux type?

In this specific case I'm looking for unconfined_service_t, but a general solution would be great because I'm sure I'll hit this again.

Answer 1

SELinux modules are in /usr/share/selinux/targeted/ directory.

You must guess (more about this later) which file it may be.

# cp /etc/selinux/targeted/modules/active/modules/cdrecord.pp /tmp
# file cdrecord.pp 
cdrecord.pp: bzip2 compressed data, block size = 900k
# bunzip2 cdrecord.pp
bunzip2: Can't guess original name for cdrecord.pp -- using cdrecord.pp.out
# dnf install checkpolicy
...
# sedismod cdrecord.pp.out
Reading policy...
libsepol.policydb_index_others: security:  0 users, 3 roles, 42 types, 3 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  51 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security:  0 users, 3 roles, 42 types, 3 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  51 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: cdrecord
Module version: 2.6.0


Select a command:
1)  display unconditional AVTAB
2)  display conditional AVTAB
3)  display users
4)  display bools
5)  display roles
6)  display types, attributes, and aliases
7)  display role transitions
8)  display role allows
9)  Display policycon
0)  Display initial SIDs

a)  Display avrule requirements
b)  Display avrule declarations
c)  Display policy capabilities
l)  Link in a module
u)  Display the unknown handling setting
F)  Display filename_trans rules

f)  set output file
m)  display menu
q)  quit

Command ('m' for menu):  6
...
 staff_cdrecord_t [1]: alias for type cdrecord_t flags:0
...

Let say that staff_cdrecord_t was the one which interested us. Hurray!

Now just query which package provide it:

# rpm -qf /etc/selinux/targeted/modules/active/modules/cdrecord.pp
selinux-policy-targeted-3.13.1-105.20.fc21.noarch

So the only question is what file from /etc/selinux/targeted/modules/active/modules/ you query. Well you either have to go one by one (unless somebody knows some way, which is scriptable) or you have to use common sense. When I look for staff_cdrecord_t, I would start with cdrecord.pp.