2009 09/03/2009 06/15/2009 58 SELinux policy is currently treated as if it were another application. In most distributions, it is a single package that exists on its own as if it did not relate to the software to which it applies. Consequently, there is no way to ensure that policy matches installed applications. Further, any maintenance of policy must be performed manually via post install scripts, which is both tedious and error-prone. It is also very difficult to ensure that policy and the applications it confines are installed in the proper order, meaning that applications can be labeled improperly for a window of time. We propose solving this for package managers to treat policy as metadata rather than an application. This metadata can exist in the package of the application it applies to, or in system packages for more broad policy. This solution alleviates the pain of manually maintaining policy in scripts by giving the package manager enough information to manage policy automatically. By treating policy as metadata, it can be installed at the appropriate time in order to avoid ordering issues. As a side benefit, all policy module installations can be combined during a package manager transaction, reducing the performance hit taken when splitting policy into multiple packages. 06/15/2009