Update rpm configuration for the /var/run equivalency change

Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
  rpm macros when selinux subpackages are being built
This commit is contained in:
Zdenek Pytela 2024-05-17 22:09:34 +02:00 committed by zpytela
parent f05cd533e6
commit befd3d6c81
2 changed files with 40 additions and 0 deletions

View File

@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
fi \ fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
fi \ fi \
%{nil} %{nil}
@ -71,8 +73,10 @@ if [ -z "${_policytype}" ]; then \
fi \ fi \
if [ $1 -eq 0 ]; then \ if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
fi \ fi \
fi \ fi \
%{nil} %{nil}

View File

@ -407,6 +407,17 @@ if posix.stat(config_file) then \
bf:close() \ bf:close() \
end end
# Remove the local_varrun SELinux module
%define removeVarrunModule() \
if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
fi;
%define removeVarrunModuleLua() \
if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
end
%build %build
%prep %prep
@ -580,6 +591,7 @@ SELinux targeted policy package.
%pretrans targeted -p <lua> %pretrans targeted -p <lua>
%backupConfigLua %backupConfigLua
%removeVarrunModuleLua targeted
%pre targeted %pre targeted
%preInstall targeted %preInstall targeted
@ -615,10 +627,34 @@ exit 0
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
exit 0 exit 0
%triggerprein -- container-selinux
%removeVarrunModule targeted
exit 0
%triggerprein -- pcp-selinux
%removeVarrunModule targeted
exit 0
%triggerpostin -- container-selinux
%{_libexecdir}/selinux/varrun-convert.sh targeted
exit 0
%triggerpostin -- pcp-selinux
%{_libexecdir}/selinux/varrun-convert.sh targeted
exit 0
%triggerpostun -- selinux-policy-targeted < 3.12.1-74 %triggerpostun -- selinux-policy-targeted < 3.12.1-74
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
exit 0 exit 0
%triggerpostun -- pcp-selinux
%{_libexecdir}/selinux/varrun-convert.sh targeted
exit 0
%triggerpostun -- container-selinux
%{_libexecdir}/selinux/varrun-convert.sh targeted
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
CR=$'\n' CR=$'\n'
INPUT="" INPUT=""