Update 'mariadb-server-galera' SELinux policy packaging

https://fedoraproject.org/wiki/SELinux/IndependentPolicy
2023-09-18 12:27:10 +02:00 · 2023-09-18 12:27:10 +02:00 · 032692271d
commit 032692271d
parent 607eb71d53
1 changed files with 27 additions and 15 deletions
--- a/mariadb.spec
+++ b/mariadb.spec
@ -397,8 +397,10 @@ Summary:          The configuration files and scripts for galera replication
 Requires:         %{name}-common%{?_isa} = %{sameevr}
 Requires:         %{name}-server%{?_isa} = %{sameevr}
 Requires:         galera >= 26.4.3
-Requires(post):   libselinux-utils
+BuildRequires:    selinux-policy-devel
-Requires(post):   policycoreutils-python-utils
+Requires(post):   (libselinux-utils if selinux-policy-targeted)
 Requires(post):   (policycoreutils if selinux-policy-targeted)
 Requires(post):   (policycoreutils-python-utils if selinux-policy-targeted)
 # wsrep requirements
 Requires:         lsof
 # Default wsrep_sst_method
@ -991,7 +993,7 @@ echo "d %{pidfiledir} 0755 mysql mysql -" >>%{buildroot}%{_tmpfilesdir}/%{name}.
 # install additional galera selinux policy
 %if %{with galera}
-install -p -m 644 -D selinux/%{name}-server-galera.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}-server-galera.pp
+install -p -m 644 -D selinux/%{name}-server-galera.pp %{buildroot}%{_datadir}/selinux/packages/targeted/%{name}-server-galera.pp
 %endif
 # Install additional cracklib selinux policy
@ -1291,21 +1293,31 @@ export MTR_BUILD_THREAD=$(( $(date +%s) % 1100 ))
 %if %{with galera}
 %post server-galera
-# Allow ports needed for the replication:
+%selinux_modules_install -s "targeted" %{_datadir}/selinux/packages/targeted/%{name}-server-galera.pp
 # https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports
 #   Galera Replication Port
 semanage port -a -t mysqld_port_t -p tcp 4567 >/dev/null 2>&1 || :
 semanage port -a -t mysqld_port_t -p udp 4567 >/dev/null 2>&1 || :
 #   IST Port
 semanage port -a -t mysqld_port_t -p tcp 4568 >/dev/null 2>&1 || :
 #   SST Port
 semanage port -a -t mysqld_port_t -p tcp 4444 >/dev/null 2>&1 || :
-semodule -i %{_datadir}/selinux/packages/%{name}/%{name}-server-galera.pp >/dev/null 2>&1 || :
+# Allow ports needed for the replication:
 # https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Port_Labeling
 if [ $1 -eq 1 ]; then
  # https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports
  #   Galera Replication Port
  semanage port -a -t mysqld_port_t -p tcp 4567 >/dev/null 2>&1 || :
  semanage port -a -t mysqld_port_t -p udp 4567 >/dev/null 2>&1 || :
  #   IST Port
  semanage port -a -t mysqld_port_t -p tcp 4568 >/dev/null 2>&1 || :
  #   SST Port
  semanage port -a -t mysqld_port_t -p tcp 4444 >/dev/null 2>&1 || :
 fi
 %postun server-galera
 if [ $1 -eq 0 ]; then
-    semodule -r %{name}-server-galera 2>/dev/null || :
+    %selinux_modules_uninstall -s "targeted" %{name}-server-galera
    # Delete port labeling when the package is removed
    # https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Port_Labeling
    semanage port -d -t mysqld_port_t -p tcp 4567 >/dev/null 2>&1 || :
    semanage port -d -t mysqld_port_t -p udp 4567 >/dev/null 2>&1 || :
    semanage port -d -t mysqld_port_t -p tcp 4568 >/dev/null 2>&1 || :
    semanage port -d -t mysqld_port_t -p tcp 4444 >/dev/null 2>&1 || :
 fi
 %endif
@ -1402,7 +1414,7 @@ fi
 %{_bindir}/galera_recovery
 %config(noreplace) %{_sysconfdir}/my.cnf.d/galera.cnf
 %attr(0640,root,root) %ghost %config(noreplace) %{_sysconfdir}/sysconfig/clustercheck
-%{_datadir}/selinux/packages/%{name}/%{name}-server-galera.pp
+%{_datadir}/selinux/packages/targeted/%{name}-server-galera.pp
 %endif
 %files server