rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

scriptlets: always existence-check /etc/selinux/config

Browse Source 
This does not work as expected with `/bin/sh` if the file does
not exist:

. %{_sysconfdir}/selinux/config &> /dev/null || true;

when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.

To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2020-06-25 15:38:26 -07:00
parent 5cdd516855
commit 69200e5a7d
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
selinux-policy.spec
View File

@ -268,7 +268,9 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%nil %nil
%define relabel() \ %define relabel() \
. %{_sysconfdir}/selinux/config &> /dev/null || true; \ if [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
fi; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
@ -302,7 +304,9 @@ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
fi; fi;
%define postInstall() \ %define postInstall() \
. %{_sysconfdir}/selinux/config &> /dev/null || true; \ if [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
fi; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \ rm %{_sysconfdir}/selinux/%2/.rebuild; \
%{_sbindir}/semodule -B -n -s %2; \ %{_sbindir}/semodule -B -n -s %2; \
@ -556,7 +560,9 @@ exit 0
%postun targeted %postun targeted
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true if [ -s %{_sysconfdir}/selinux/config ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true
fi
if [ "$SELINUXTYPE" = "targeted" ]; then if [ "$SELINUXTYPE" = "targeted" ]; then
%{_sbindir}/setenforce 0 2> /dev/null %{_sbindir}/setenforce 0 2> /dev/null
if [ ! -s %{_sysconfdir}/selinux/config ]; then if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -666,7 +672,9 @@ exit 0
%postun minimum %postun minimum
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true if [ -s %{_sysconfdir}/selinux/config ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true
fi
if [ "$SELINUXTYPE" = "minimum" ]; then if [ "$SELINUXTYPE" = "minimum" ]; then
%{_sbindir}/setenforce 0 2> /dev/null %{_sbindir}/setenforce 0 2> /dev/null
if [ ! -s %{_sysconfdir}/selinux/config ]; then if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -737,7 +745,9 @@ exit 0
%postun mls %postun mls
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true; if [ -s %{_sysconfdir}/selinux/config ]; then
source %{_sysconfdir}/selinux/config &> /dev/null || true
fi
if [ "$SELINUXTYPE" = "mls" ]; then if [ "$SELINUXTYPE" = "mls" ]; then
%{_sbindir}/setenforce 0 2> /dev/null %{_sbindir}/setenforce 0 2> /dev/null
if [ ! -s %{_sysconfdir}/selinux/config ]; then if [ ! -s %{_sysconfdir}/selinux/config ]; then