Open
Description
We need a way to opt out of SELinux module additions, because recent versions of selinux-policy package come with relevant fixes and booleans and may eventually supersede all the selinux tweaks in the role. See [0].
The most robust way (that I know of) to detect for presence of relevant selinux permissions requires installing setools-console package and using sesearch:
> sesearch -A -s keepalived_t -t keepalived_t -c icmp_socket
allow keepalived_t keepalived_t:icmp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };A good though indirect way to detect is to check for a minimal selinux-policy package version:
> dnf info --installed selinux-policy
Installed Packages
Name : selinux-policy
Version : 3.14.3
Release : 104.el8
...