Disable SELinux on a policy type subpackage uninstall

When selinux-policy is uninstalled, SELinux is changed to permissive and /etc/selinux/config is updated to disable SELinux. But it doesn't apply when selinux-policy-{targeted,mls,minimum} are uninstalled. With this change when one of the policy subpackages is uninstalled and the current policy type is same as the uninstalled policy, SELinux is switched to permissive and disabled in config file as well. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
2017-10-08 21:33:17 +02:00 · 2017-10-08 21:33:17 +02:00 · 7f40329c8b
parent 918bddec38
commit 7f40329c8b
1 changed files with 43 additions and 0 deletions
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -510,6 +510,21 @@ SELinux Reference policy targeted base module.
 %postInstall $1 targeted
 exit 0

+%postun targeted
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "targeted" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+
 %triggerin -- pcre
 selinuxenabled && semodule -nB
 exit 0
@ -600,6 +615,20 @@ done
 fi
 exit 0

+%postun minimum
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "minimum" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
 if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
    rm -f /var/lib/selinux/minimum/active/modules/disabled/*
@ -652,6 +681,20 @@ SELinux Reference policy mls base module.
 %postInstall $1 mls
 exit 0

+%postun mls
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "mls" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138
 CR=$'\n'
 INPUT=""