rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Stop enabling selinux booleans on every upgrade

Browse Source 
SELinux booleans system pushes enablement into a stack. It saves
previous values and restores them on removal. But the default for
boolean named_write_master_zones has changed to true. Update it just
single time on upgrade from previous bind versions. Then rely on
previous version being a permanent value.
This commit is contained in:
Petr Menšík 2022-06-23 16:54:49 +02:00
parent 8a47aa2c75
commit 55526b37a7
1 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bind.spec
View File

@ -109,10 +109,6 @@ Requires(post): shadow-utils
Requires(post): glibc-common Requires(post): glibc-common
Requires(post): grep Requires(post): grep
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
# This wild require should satisfy %%selinux_set_boolean macro only
# in case it needs to be used
Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
Recommends: %{name}-utils %{name}-dnssec-utils Recommends: %{name}-utils %{name}-dnssec-utils
%upname_compat %{upname} %upname_compat %{upname}
@ -739,10 +735,6 @@ fi;
%post %post
%?ldconfig %?ldconfig
if [ -e "%{_sysconfdir}/selinux/config" ]; then
%selinux_set_booleans -s targeted %{selinuxbooleans}
%selinux_set_booleans -s mls %{selinuxbooleans}
fi
if [ "$1" -eq 1 ]; then if [ "$1" -eq 1 ]; then
# Initial installation # Initial installation
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
@ -776,10 +768,6 @@ fi
%?ldconfig %?ldconfig
# Package upgrade, not uninstall # Package upgrade, not uninstall
%systemd_postun_with_restart named.service %systemd_postun_with_restart named.service
if [ -e "%{_sysconfdir}/selinux/config" ]; then
%selinux_unset_booleans -s targeted %{selinuxbooleans}
%selinux_unset_booleans -s mls %{selinuxbooleans}
fi
%if %{with PKCS11} %if %{with PKCS11}
%post pkcs11 %post pkcs11
@ -811,6 +799,17 @@ fi
/sbin/chkconfig --del named >/dev/null 2>&1 || : /sbin/chkconfig --del named >/dev/null 2>&1 || :
/bin/systemctl try-restart named.service >/dev/null 2>&1 || : /bin/systemctl try-restart named.service >/dev/null 2>&1 || :
%triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils
if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \
&& %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then
# Return master zones after upgrade from selinux_booleans version
WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)"
if [ "echo ${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then
echo "Restoring new sebool default of named_write_master_zones..."
%{_sbindir}/setsebool -P named_write_master_zones=1 || :
fi
fi
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%if %{with PKCS11} %if %{with PKCS11}
@ -1069,6 +1068,9 @@ fi;
%endif %endif
%changelog %changelog
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
- Stop enabling selinux booleans on every upgrade
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1 * Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
- Update to 9.18.4 (#2057493) - Update to 9.18.4 (#2057493)