From c9eca3f2d74ea7e483a1fc566399cd8cbc8cc698 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 20 May 2024 16:12:51 +0200 Subject: [PATCH] Protect the targeted and mls subpackages Protect the targeted and mls subpackages from uninstallation by dnf when conditional dependencies may suggest so. Related: RHEL-54303 --- selinux-policy-mls.conf | 1 + selinux-policy-targeted.conf | 1 + selinux-policy.spec | 9 +++++++++ 3 files changed, 11 insertions(+) create mode 100644 selinux-policy-mls.conf create mode 100644 selinux-policy-targeted.conf diff --git a/selinux-policy-mls.conf b/selinux-policy-mls.conf new file mode 100644 index 00000000..0a16d053 --- /dev/null +++ b/selinux-policy-mls.conf @@ -0,0 +1 @@ +selinux-policy-mls diff --git a/selinux-policy-targeted.conf b/selinux-policy-targeted.conf new file mode 100644 index 00000000..9c87c401 --- /dev/null +++ b/selinux-policy-targeted.conf @@ -0,0 +1 @@ +selinux-policy-targeted diff --git a/selinux-policy.spec b/selinux-policy.spec index 94382d35..422d9f29 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -63,6 +63,9 @@ Source36: selinux-check-proper-disable.service # Script to convert /var/run file context entries to /run Source37: varrun-convert.sh +# Configuration files to dnf-protect targeted and/or mls subpackages +Source38: selinux-policy-targeted.conf +Source39: selinux-policy-mls.conf # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros @@ -451,6 +454,10 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages +mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/ +install -m 755 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/ +install -m 755 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/ + # Install devel make clean %if %{BUILD_TARGETED} @@ -679,6 +686,7 @@ fi exit 0 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted @@ -857,6 +865,7 @@ exit 0 %files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif