From c7794d90ee24330db0b933a82cea702ed976a8ed Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 1 Mar 2021 09:38:19 +0100
Subject: [PATCH] Relabel /dev/nvme* explicitly

In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.

This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.

This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
---
 selinux-policy.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2ec88449..4cc21669 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -279,6 +279,10 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
      %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
+# the /dev/nvme* device files type changed, therefore explicit relabeling \
+# of /dev/nvme* is needed as fixfiles excludes /dev \
+# this is a temporary workaround till April 2021 \
+[ -f /dev/nvme0 ] && %{_sbindir}/restorecon /dev/nvme* \
 if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
     continue; \
 fi;