commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51
Author: Nathan Scott <nathans@redhat.com>
Date:   Fri Apr 30 11:25:56 2021 +1000

    selinux: fix detection of lockdown policy class
    
    Resolves Fedora BZ #1929259

diff --git a/configure b/configure
index 12fe8cde5..e6885234a 100755
--- a/configure
+++ b/configure
@@ -732,6 +732,7 @@ pcp_selinux_chkpwd_exec
 pcp_selinux_security
 pcp_selinux_sudo_exec
 pcp_selinux_initrc_tmp
+pcp_selinux_lockdown_class
 pcp_selinux_icmp_socket_class
 pcp_selinux_cap2_syslog
 pcp_selinux_sbd_exec
@@ -11970,6 +11971,10 @@ if test "x$enable_selinux" != "xfalse"; then :
     | egrep '^[ 	][ 	]*(class |)icmp_socket$' >/dev/null \
     && pcp_selinux_icmp_socket_class=true
 
+    seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
+    | egrep '^[ 	][ 	]*(class |)lockdown$' >/dev/null \
+    && pcp_selinux_lockdown_class=true
+
 
     seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
     | egrep '^[ 	][ 	]*(class |)netlink_selinux_socket$' >/dev/null \
@@ -11987,10 +11992,6 @@ if test "x$enable_selinux" != "xfalse"; then :
     | egrep '^[ 	][ 	]*(class |)security$' >/dev/null \
     && pcp_selinux_security_class=true
 
-    seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
-    | egrep '^[ 	][ 	]*(class |)lockdown$' >/dev/null \
-    && pcp_selinux_lockdown_class=true
-
             seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
     | egrep '^[ 	][ 	]*(class |)dir$' >/dev/null \
     && pcp_selinux_dir_class=true
@@ -12046,6 +12047,7 @@ fi
 
 
 
+
 
 
 pcp_selinux_files_mmap_all_files=false
diff --git a/configure.ac b/configure.ac
index aa08ea18f..dcd60b67d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2132,6 +2132,10 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
     | egrep '^[[ 	]][[ 	]]*(class |)icmp_socket$' >/dev/null \
     && pcp_selinux_icmp_socket_class=true
 
+    seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
+    | egrep '^[[ 	]][[ 	]]*(class |)lockdown$' >/dev/null \
+    && pcp_selinux_lockdown_class=true
+
     dnl these ones are for pcpqa.te
 
     seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
@@ -2150,10 +2154,6 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
     | egrep '^[[ 	]][[ 	]]*(class |)security$' >/dev/null \
     && pcp_selinux_security_class=true
 
-    seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
-    | egrep '^[[ 	]][[ 	]]*(class |)lockdown$' >/dev/null \
-    && pcp_selinux_lockdown_class=true
-
     dnl pcp_selinux_dir already used for something else, so name to
     dnl set is pcp_selinux_dir_class
     seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
@@ -2192,6 +2192,7 @@ AC_SUBST(pcp_selinux_proc_security)
 AC_SUBST(pcp_selinux_sbd_exec)
 AC_SUBST(pcp_selinux_cap2_syslog)
 AC_SUBST(pcp_selinux_icmp_socket_class)
+AC_SUBST(pcp_selinux_lockdown_class)
 
 dnl for pcpqa.te
 AC_SUBST(pcp_selinux_initrc_tmp)
diff --git a/src/include/builddefs.in b/src/include/builddefs.in
index 93038f446..126fab4d3 100644
--- a/src/include/builddefs.in
+++ b/src/include/builddefs.in
@@ -282,7 +282,6 @@ PCP_SELINUX_SBD_EXEC = @pcp_selinux_sbd_exec@
 PCP_SELINUX_FILES_MMAP_ALL_FILES = @pcp_selinux_files_mmap_all_files@
 PCP_SELINUX_CAP2_SYSLOG = @pcp_selinux_cap2_syslog@
 PCP_SELINUX_ICMP_SOCKET_CLASS = @pcp_selinux_icmp_socket_class@
-PCP_SELINUX_LOCKDOWN = @pcp_selinux_lockdown@
 PCP_SELINUX_LOCKDOWN_CLASS = @pcp_selinux_lockdown_class@
 # pcpqa.te
 PCP_SELINUX_INITRC_TMP = @pcp_selinux_initrc_tmp@