From befd3d6c812d9f7563a2a625445e1319068137bb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 17 May 2024 22:09:34 +0200
Subject: [PATCH] Update rpm configuration for the /var/run equivalency change

Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
  rpm macros when selinux subpackages are being built
---
 rpm.macros          |  4 ++++
 selinux-policy.spec | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/rpm.macros b/rpm.macros
index f63f5fed..dcab0186 100644
--- a/rpm.macros
+++ b/rpm.macros
@@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
   %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
   %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
 fi \
 %{nil}
 
@@ -71,8 +73,10 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
     %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
   fi \
 fi \
 %{nil}
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ce9ba89f..856fa68d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -407,6 +407,17 @@ if posix.stat(config_file) then \
     bf:close() \
 end
 
+# Remove the local_varrun SELinux module
+%define removeVarrunModule() \
+if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \
+  %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
+fi;
+
+%define removeVarrunModuleLua() \
+if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
+  os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
+end
+
 %build
 
 %prep
@@ -580,6 +591,7 @@ SELinux targeted policy package.
 
 %pretrans targeted -p <lua>
 %backupConfigLua
+%removeVarrunModuleLua targeted
 
 %pre targeted
 %preInstall targeted
@@ -615,10 +627,34 @@ exit 0
 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
 exit 0
 
+%triggerprein -- container-selinux
+%removeVarrunModule targeted
+exit 0
+
+%triggerprein -- pcp-selinux
+%removeVarrunModule targeted
+exit 0
+
+%triggerpostin -- container-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%triggerpostin -- pcp-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
 %triggerpostun -- selinux-policy-targeted < 3.12.1-74
 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 exit 0
 
+%triggerpostun -- pcp-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%triggerpostun -- container-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
 CR=$'\n'
 INPUT=""