During the discussions around bug 2080966, creating sub-packages to separate the policies for the various components came up. This would improve security as rules will only get installed/enabled on the nodes where they are needed.

The first step would be to create the package infrastructure to support this and do it for something simple, probably an openstack-selinux-octavia sub-package that enables the new boolean created in bug 2080966.

This is what this bugzilla is about.

(Once that is done, we can create further bzs for the following steps, such as moving the rest of the policies (pp file) to the new sub-package then doing the same for other components, but this will require careful testing as some rules are likely being relied on beyond the scope of each component (e.g. removing a boolean broke both glance and galera in the past, bug 1676446 bug 1722923).)

In addition to the sub-packages, utilities should be created to detect/manage chroot environment so that only one script gets called from each sub-rpm, with booleans enabled in %post. If it's a chroot, do not reload the policy. This can probably be done by reusing and/or breaking down what has been done in local_settings.sh.