On February 3, 2012 09:41:07 Paul Howarth wrote:
You could actually include pre-built modules with the necessary policy in your packages, e.g. as described in:
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
didn't notice that document before - thanks for the reference.
So if package A and package B both have policy allowing something (rather than messing with a boolean), removing one of those packages and its policy module will still leave the other's policy module present and hence it will still be able to do what it needed to do.
In other words - I did suspect that modules is the closest thing that complies with the above (aside from meta-packages that only have %post sections populated with "semanage" statements)