rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
046dc6f583
selinux-policy/rpm.macros
Zbigniew Jędrzejewski-Szmek bbd4056045 Call binaries without full path 
As part of https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin, programs
are moved from /usr/sbin/alternatives to /usr/bin/alternatives. Provisions
have been made to create a compat symlink on traditional systems, so that both
paths work and packages that use paths under /usr/sbin do not need to be
rebuilt. Unfortunately, on ostree systems, the compat symlinks are missing, so
using absolute paths causes problems
(https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8).

There is no reason for or benefit from specifying the full path to binaries in
scriptlets because the scriptlets are called with a well-defined $PATH. When
we drop the full path, they work fine no matter where exactly the binary is
installed.

An additional problem with full paths is that they are specified using macros,
and the macro works fine within a package, but they is no guarantee that
different builds of different packages at different times use the same
definition of %_sbindir.

I also changed /bin/echo → echo. The shell builtin is good enough, we don't need
to spawn a separate process.

Related: RHEL-54303
2024-11-14 17:14:03 +01:00

187 lines
7.0 KiB
Plaintext
Raw Blame History

# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
#
# Author: Petr Lautrbach <plautrba@redhat.com>
# Author: Lukáš Vrabec <lvrabec@redhat.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# RPM macros for packages installing SELinux modules
%_selinux_policy_version SELINUXPOLICYVERSION
%_selinux_store_path SELINUXSTOREPATH
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
# %selinux_requires
%selinux_requires \
Requires: selinux-policy >= %{_selinux_policy_version} \
BuildRequires: pkgconfig(systemd) \
BuildRequires: selinux-policy \
BuildRequires: selinux-policy-devel \
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
Requires(post): libselinux-utils \
Requires(post): policycoreutils \
%if 0%{?fedora} || 0%{?rhel} > 7\
Requires(post): policycoreutils-python-utils \
%else \
Requires(post): policycoreutils-python \
%endif \
%{nil}
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
selinuxenabled && load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
fi \
%{nil}
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_uninstall("s:p:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
selinuxenabled && load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
fi \
fi \
%{nil}
# %selinux_relabel_pre [-s <policytype>]
%selinux_relabel_pre("s:") \
if selinuxenabled; then \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
fi \
%{nil}
# %selinux_relabel_post [-s <policytype>]
%selinux_relabel_post("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
if [ -f %{_file_context_file_pre} ]; then \
fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
rm -f %{_file_context_file_pre} \
fi \
fi \
%{nil}
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
%selinux_set_booleans("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
LOCAL_MODIFICATIONS=$(semanage boolean -E) \
if [ ! -f %_file_custom_defined_booleans ]; then \
echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
fi \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_value=${boolean#*=} \
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
if [ -n "$boolean_local_string" ]; then \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
echo $boolean_customized_string >> %_file_custom_defined_booleans \
else \
echo $boolean_local_string >> %_file_custom_defined_booleans \
fi \
else \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
fi \
done; \
if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
echo -e "$semanage_import" | semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
%selinux_unset_booleans("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
fi \
fi \
done; \
if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
echo -e "$semanage_import" | semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}
Reference in New Issue View Git Blame Copy Permalink