rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Suppress semodule's stderr

Browse Source 
Since libsemanage commit d96f27bf7cb91 ("libsemanage: Preserve file context
and ownership in policy store"), libsemanage tries to preserve file
contexts during SELinux policy rebuild. If the underline fs does not
support any operation used, it prints warnings on stderr. Given that
it's not a fatal error, it's reasonable to suppress them.

Fixes:

    $ podman run --pull=newer --rm -ti quay.io/fedora/fedora:rawhide
    [root@3a1e072c5559 /]# dnf4 install selinux-policy-targeted
    ...
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/cil:  Operation not supported
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/hll:  Operation not supported
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/lang_ext:  Operation not supported
    ...
    Could not set context for /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin:  Operation not supported
    Could not set context for /etc/selinux/targeted/policy/policy.33:  Operation not supported
    Could not set context for /etc/selinux/targeted/seusers:  Operation not supported

[skip changelog]

Resolves: RHEL-59192
This commit is contained in:
Petr Lautrbach 2024-10-09 12:17:01 +02:00
parent 52526cb202
commit 0c8f629e44
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
selinux-policy.spec
View File

@ -111,7 +111,7 @@ SELinux sandbox policy for use with the sandbox utility.
%post sandbox
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
@ -303,7 +303,7 @@ fi;
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
for MOD_NAME in ganesha ipa_custodia kdbus; do \
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
%{_sbindir}/semodule -n -d $MOD_NAME; \
%{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \
fi; \
done; \
. %{_sysconfdir}/selinux/config; \
@ -329,7 +329,7 @@ fi; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
fi; \
%{_sbindir}/semodule -B -n -s %2; \
%{_sbindir}/semodule -B -n -s %2 2> /dev/null; \
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
if [ %1 -eq 1 ]; then \
%{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
@ -624,7 +624,7 @@ exit 0
%triggerin -- pcre2
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
exit 0
%triggerprein -- container-selinux
@ -725,7 +725,7 @@ login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum
%{_sbindir}/semodule -B -s minimum 2> /dev/null
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
@ -734,7 +734,7 @@ done
for p in $instpackages apache dbus inetd kerberos mta nis; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semodule -B -s minimum
%{_sbindir}/semodule -B -s minimum 2> /dev/null
%relabel minimum
fi
exit 0