Stop enabling selinux booleans on every upgrade

SELinux booleans system pushes enablement into a stack. It saves previous values and restores them on removal. But the default for boolean named_write_master_zones has changed to true. Update it just single time on upgrade from previous bind versions. Then rely on previous version being a permanent value.
2022-06-23 16:54:49 +02:00 · 2022-06-23 16:54:49 +02:00 · 55526b37a7
commit 55526b37a7
parent 8a47aa2c75
1 changed files with 14 additions and 12 deletions
--- a/bind.spec
+++ b/bind.spec
@ -109,10 +109,6 @@ Requires(post): shadow-utils
 Requires(post): glibc-common
 Requires(post): grep
 Requires:       %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-# This wild require should satisfy %%selinux_set_boolean macro only
-# in case it needs to be used
-Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
-Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
 Recommends:     %{name}-utils %{name}-dnssec-utils
 %upname_compat %{upname}

@ -739,10 +735,6 @@ fi;

 %post
 %?ldconfig
-if [ -e "%{_sysconfdir}/selinux/config" ]; then
-  %selinux_set_booleans -s targeted %{selinuxbooleans}
-  %selinux_set_booleans -s mls %{selinuxbooleans}
-fi
 if [ "$1" -eq 1 ]; then
  # Initial installation
  [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
@ -776,10 +768,6 @@ fi
 %?ldconfig
 # Package upgrade, not uninstall
 %systemd_postun_with_restart named.service
-if [ -e "%{_sysconfdir}/selinux/config" ]; then
-  %selinux_unset_booleans -s targeted %{selinuxbooleans}
-  %selinux_unset_booleans -s mls %{selinuxbooleans}
-fi

 %if %{with PKCS11}
 %post pkcs11
@ -811,6 +799,17 @@ fi
 /sbin/chkconfig --del named >/dev/null 2>&1 || :
 /bin/systemctl try-restart named.service >/dev/null 2>&1 || :

+%triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils
+if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \
+   && %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then
+  # Return master zones after upgrade from selinux_booleans version
+  WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)"
+  if [ "echo ${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then
+    echo "Restoring new sebool default of named_write_master_zones..."
+    %{_sbindir}/setsebool -P named_write_master_zones=1 || :
+  fi
+fi
+
 %ldconfig_scriptlets libs

 %if %{with PKCS11}
@ -1069,6 +1068,9 @@ fi;
 %endif

 %changelog
+* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
+- Stop enabling selinux booleans on every upgrade
+
 * Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
 - Update to 9.18.4 (#2057493)