Filter out EPEL related modules

Resolves: RHEL-73505

modules-filtered.lst

@@ -0,0 +1,67 @@
+aiccu
+amtu
+antivirus
+apcupsd
+arpwatch
+asterisk
+awstats
+bcfg2
+bitlbee
+boinc
+brctl
+cobbler
+collectd
+conman
+cpufreqselector
+cvs
+ddclient
+dnssec
+drbd
+entropyd
+exim
+fail2ban
+gdomap
+hddtemp
+ktls
+l2tp
+linuxptp
+lircd
+livecd
+lttng-tools
+mailman
+man2html
+milter
+minidlna
+mock
+mongodb
+mplayer
+munin
+nagios
+nsd
+nslcd
+ntp
+nut
+openct
+openfortivpn
+openvpn
+pdns
+pingd
+postgrey
+prelude
+privoxy
+prosody
+puppet
+pwauth
+rhev
+rkhunter
+rlogin
+rshd
+smokeping
+tcpd
+tcsd
+tlp
+tor
+vnstatd
+vpn
+zabbix
+zebra

selinux-policy.spec

@@ -32,6 +32,8 @@ Source3: macro-expander
 # Git repo: https://github.com/containers/container-selinux.git
 Source4: container-selinux.tgz
 
+# do not ship these modules
+Source15: modules-filtered.lst
 # modules enabled in -minimum policy
 Source16: modules-minimum.lst
 
@@ -321,9 +323,11 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/m
 %define nonBaseModulesList() \
 modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
 for i in $modules; do \
-    if [ $i != "sandbox" ];then \
+    if [ $i != "sandbox" ] && ! grep -E "^$i$" %{SOURCE15}; then \
         echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
-    fi; \
+    else \
+        rm -rf %{buildroot}%{_sharedstatedir}/selinux/{targeted,minimum,mls}/active/modules/100/$i \
+    fi \
 done;
 
 # Make sure the config is consistent with what packages are installed in the system
@@ -550,6 +554,7 @@ Obsoletes: cachefilesd-selinux <= 0.10-1
 Conflicts:  seedit
 Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
 Conflicts: container-selinux < 2:1.12.1-22
+Recommends: (selinux-policy-epel-targeted if epel-release)
 
 %description targeted
 SELinux targeted policy package.