Relabel /dev/nvme* explicitly
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit, the type of nvme device files has changed from nvme_device_t to fixed_disk_device_t. This cannot currently be resolved in specfile selinux macros as fixfiles excludes /dev entries. For files in /dev with changed context, restorecon needs to be run explicitly to restore the context. This is a temporary workaround till April 2021 when the updated policy can be considered spread enough.
This commit is contained in:
Zdenek Pytela
parent
2faa5c2293
commit
c7794d90ee
@ -279,6 +279,10 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
|
|||||||
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
|
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
|
||||||
rm -f ${FILE_CONTEXT}.pre; \
|
rm -f ${FILE_CONTEXT}.pre; \
|
||||||
fi; \
|
fi; \
|
||||||
|
# the /dev/nvme* device files type changed, therefore explicit relabeling \
|
||||||
|
# of /dev/nvme* is needed as fixfiles excludes /dev \
|
||||||
|
# this is a temporary workaround till April 2021 \
|
||||||
|
[ -f /dev/nvme0 ] && %{_sbindir}/restorecon /dev/nvme* \
|
||||||
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
||||||
continue; \
|
continue; \
|
||||||
fi;
|
fi;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user