From dba350c6e03d8747a5524e59ff80cd6277ffa755 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Sun, 8 Oct 2017 20:52:07 +0200 Subject: [PATCH 1/2] Do not ship file_contexts.bin file selinux-policy is noarch but file_contexts.bin is not portable. As a result, on architectures with different endianness, this file is ignored and text file file_context is used instead. For more information see: https://janzarskyblog.wordpress.com/2017/09/06/why-we-dont-need-to-ship-file_contexts-bin-with-selinux-policy/ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1386180 --- selinux-policy.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c792e1e..7d3be675 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -191,10 +191,10 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \ -sefcontext_compile -r -o %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ @@ -239,7 +239,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ From deccccdaf1083d864d291b62a9d36e3de5b13ea3 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 27 Oct 2017 15:44:49 +0200 Subject: [PATCH 2/2] Do not own /etc/selinux//file_contexts.homedirs.bin This file belongs to /etc/selinux//contexts/files/ --- selinux-policy.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7d3be675..2a7390c5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -194,7 +194,6 @@ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/seli touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ @@ -215,7 +214,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ -%ghost %{_sysconfdir}/selinux/%1/*.bin \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \