From 7f40329c8b9086299622cc301aaee7dc2fffe897 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Sun, 8 Oct 2017 21:33:17 +0200
Subject: [PATCH] Disable SELinux on a policy type subpackage uninstall

When selinux-policy is uninstalled, SELinux is changed to permissive and
/etc/selinux/config is updated to disable SELinux. But it doesn't apply
when selinux-policy-{targeted,mls,minimum} are uninstalled.

With this change when one of the policy subpackages is uninstalled
and the current policy type is same as the uninstalled policy, SELinux
is switched to permissive and disabled in config file as well.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
---
 selinux-policy.spec | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c792e1e..50b27e65 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -510,6 +510,21 @@ SELinux Reference policy targeted base module.
 %postInstall $1 targeted
 exit 0
 
+%postun targeted
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "targeted" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+
 %triggerin -- pcre
 selinuxenabled && semodule -nB
 exit 0
@@ -600,6 +615,20 @@ done
 fi
 exit 0
 
+%postun minimum
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "minimum" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
 if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
     rm -f /var/lib/selinux/minimum/active/modules/disabled/*
@@ -652,6 +681,20 @@ SELinux Reference policy mls base module.
 %postInstall $1 mls
 exit 0
 
+%postun mls
+if [ $1 = 0 ]; then
+    source /etc/selinux/config
+    if [ "$SELINUXTYPE" = "mls" ]; then
+        setenforce 0 2> /dev/null
+        if [ ! -s /etc/selinux/config ]; then
+            echo "SELINUX=disabled" > /etc/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+        fi
+    fi
+fi
+exit 0
+
 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138
 CR=$'\n'
 INPUT=""