From 69200e5a7d3d5982b3a29a4dfee12107efc832e4 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 25 Jun 2020 15:38:26 -0700
Subject: [PATCH] scriptlets: always existence-check /etc/selinux/config

This does not work as expected with `/bin/sh` if the file does
not exist:

. %{_sysconfdir}/selinux/config &> /dev/null || true;

when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.

To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 selinux-policy.spec | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/selinux-policy.spec b/selinux-policy.spec
index e472cead..6ab12679 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -268,7 +268,9 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %nil
 
 %define relabel() \
-. %{_sysconfdir}/selinux/config &> /dev/null || true; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
+fi; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
      %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
@@ -302,7 +304,9 @@ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
 fi;
 
 %define postInstall() \
-. %{_sysconfdir}/selinux/config &> /dev/null || true; \
+if [ -s %{_sysconfdir}/selinux/config ]; then \
+    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
+fi; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
    rm %{_sysconfdir}/selinux/%2/.rebuild; \
    %{_sbindir}/semodule -B -n -s %2; \
@@ -556,7 +560,9 @@ exit 0
 
 %postun targeted
 if [ $1 = 0 ]; then
-    source %{_sysconfdir}/selinux/config &> /dev/null || true
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "targeted" ]; then
         %{_sbindir}/setenforce 0 2> /dev/null
         if [ ! -s %{_sysconfdir}/selinux/config ]; then
@@ -666,7 +672,9 @@ exit 0
 
 %postun minimum
 if [ $1 = 0 ]; then
-    source %{_sysconfdir}/selinux/config &> /dev/null || true
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "minimum" ]; then
         %{_sbindir}/setenforce 0 2> /dev/null
         if [ ! -s %{_sysconfdir}/selinux/config ]; then
@@ -737,7 +745,9 @@ exit 0
 
 %postun mls
 if [ $1 = 0 ]; then
-    source %{_sysconfdir}/selinux/config &> /dev/null || true;
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
     if [ "$SELINUXTYPE" = "mls" ]; then
         %{_sbindir}/setenforce 0 2> /dev/null
         if [ ! -s %{_sysconfdir}/selinux/config ]; then