PR#10: Drop our selinux policy as it's been subsumed by the main one - rpms/rpm

rpms / rpm

#10 Drop our selinux policy as it's been subsumed by the main one

Merged a year ago by ngompa. Opened a year ago by dcavalca.

rpms/ dcavalca/rpm c9s-sig-hyperscale into c9s-sig-hyperscale

Drop our selinux policy as it's been subsumed by the main one

Davide Cavalca • a year ago

1731c9

Makefile.selinux

file removed

-16

		`@@ -1,16 +0,0 @@`
		`- TARGETS ?= rpm_hs`
		`- SHARE ?= /usr/share`
		`- MODULES ?= ${TARGETS:=.pp.bz2}`
		`-`
		`- all: ${TARGETS:=.pp.bz2}`
		`-`
		`- %.pp.bz2: %.pp`
		`- @echo Compressing $^ -\ $@`
		`- bzip2 -9 $^`
		`-`
		`- %.pp: %.te`
		`- make -f ${SHARE}/selinux/devel/Makefile $@`
		`-`
		`- clean:`
		`- rm -f ~ .tc .pp .pp.bz2`
		`- rm -rf tmp`

rpm.spec

file modified

+8 -58

		`@@ -42,7 +42,7 @@`

		`%global rpmver 4.16.1.3`
		`#global snapver rc1`
		`- %global rel 22.2`
		`+ %global rel 22.3`
		`%global sover 9`

		`%global srcver %{rpmver}%{?snapver:-%{snapver}}`
		`@@ -70,11 +70,6 @@`
		`Source20: rpmdb-migrate.service`
		`Source21: rpmdb_migrate`

		`- # Needed for selinux subpackage`
		`- Source100: Makefile.selinux`
		`- Source101: rpm_hs.te`
		`- Source102: rpm_hs.fc`
		`-`
		`# Set rpmdb path to /usr/lib/sysimage/rpm`
		`Patch0: rpm-4.16.x-rpm_dbpath.patch`
		`# Disable autoconf config.site processing (#962837)`
		`@@ -270,8 +265,9 @@`
		`Requires(pre): findutils`
		`Requires(pre): sed`

		`- # Force the SELinux module to be installed if SELinux policy is installed`
		`- Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy)`
		`+ # We don't need a custom policy anymore`
		`+ Provides: %{name}-selinux = %{name}-%{version}`
		`+ Obsoletes: %{name}-selinux < 4.16.1.3-22.3`

		`%description`
		`The RPM Package Manager (RPM) is a powerful command line driven`
		`@@ -475,24 +471,6 @@`
		`# with plugins`
		`%endif`

		`- %package selinux`
		`- Summary: SELinux module for rpm`
		`- BuildArch: noarch`
		`- BuildRequires: bzip2`
		`- BuildRequires: make`
		`- BuildRequires: selinux-policy`
		`- BuildRequires: selinux-policy-devel`
		`- Requires(post): selinux-policy-base >= %{_selinux_policy_version}`
		`- Requires(post): policycoreutils`
		`- Requires(post): policycoreutils-python-utils`
		`- Requires(pre): libselinux-utils`
		`- Requires(post): libselinux-utils`
		`-`
		`- %description selinux`
		`- This package provides the SELinux policy module to ensure rpm`
		`- runs properly under an environment with SELinux enabled.`
		`-`
		`-`
		`%prep`
		`%autosetup -n rpm-%{srcver} %{?with_int_bdb:-a 1} -p1`

		`@@ -505,10 +483,6 @@`
		`sed -i -e "/_db_backend/ s/ bdb/ sqlite/g" macros.in`
		`%endif`

		`- # SELinux policy files`
		`- mkdir selinux-policy`
		`- cp %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux-policy`
		`-`
		`%build`
		`%set_build_flags`

		`@@ -554,10 +528,6 @@`
		`%py3_build`
		`popd`

		`- pushd selinux-policy`
		`- %{__make} -f Makefile.selinux SHARE="%{_datadir}" TARGETS="rpm_hs"`
		`- popd`
		`-`
		`%install`
		`%make_install`

		`@@ -567,9 +537,6 @@`
		`%py3_install`
		`popd`

		`- install -d -p %{buildroot}%{_datadir}/selinux/packages`
		`- install -p -m 0644 selinux-policy/rpm_hs.pp.bz2 %{buildroot}%{_datadir}/selinux/packages`
		`-`
		`mkdir -p $RPM_BUILD_ROOT%{_unitdir}`
		`install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}`
		`install -m 644 %{SOURCE20} $RPM_BUILD_ROOT/%{_unitdir}`
		`@@ -638,23 +605,6 @@`
		`touch /var/lib/rpm/.migratedb`
		`fi`

		`- %pre selinux`
		`- %selinux_relabel_pre`
		`-`
		`- %post selinux`
		`- %selinux_modules_install %{_datadir}/selinux/packages/rpm_hs.pp.bz2`
		`- %selinux_relabel_post`
		`-`
		`- %posttrans selinux`
		`- %selinux_relabel_post`
		`-`
		`- %postun selinux`
		`- %selinux_modules_uninstall rpm_hs`
		`-`
		`- if [ $1 -eq 0 ]; then`
		`- %selinux_relabel_post`
		`- fi`
		`-`
		`%files -f rpm.lang`
		`%license COPYING`
		`%doc CREDITS doc/manual/[a-z]*`
		`@@ -824,11 +774,11 @@`
		`%license COPYING`
		`%doc doc/librpm/html/*`

		`- %files selinux`
		`- %{_datadir}/selinux/packages/rpm_hs.pp.bz2`
		`-`
		`%changelog`
		`- * Mon Feb 06 2022 Aleksandr Kazakov <alexkazakov@meta.com> - 4.16.1.3-22.2`
		`+ * Sat Feb 11 2023 Davide Cavalca <dcavalca@centosproject.org> - 4.16.1.3-22.3`
		`+ - Drop our selinux policy as it's been subsumed by the main one`
		`+`
		`+ * Mon Feb 06 2023 Aleksandr Kazakov <alexkazakov@meta.com> - 4.16.1.3-22.2`
		`- Backport multi-threaded zstd for Hyperscale`

		`* Tue Dec 20 2022 Davide Cavalca <dcavalca@centosproject.org> - 4.16.1.3-22.1`

rpm_hs.fc

file removed

-2

		`@@ -1,2 +0,0 @@`
		`- # This is in /usr, but is expected to be variable content from a policy perspective (#2042149)`
		`- /usr/lib/sysimage/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)`

rpm_hs.te

file removed

-11

		`@@ -1,11 +0,0 @@`
		`- policy_module(rpm_hs,0.0.1)`
		`-`
		`- # rpm overrides`
		- gen_require(`
		`- type rpm_t;`
		`- type rpmdb_t;`
		`- type rpm_var_lib_t;`
		`- ')`
		`-`
		`- # Allow rpmdb create directory in /usr/lib/sysimage (#2061141)`
		`- files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)`

dcavalca commented a year ago

This should fix the conflict I'm seeing with the latest upstream policy:

Found conflicting filecon rules
  at /var/lib/selinux/targeted/tmp/modules/100/rpm/cil:2436
  at /var/lib/selinux/targeted/tmp/modules/200/rpm_hs/cil:8
Problems processing filecon rules
Failed post db handling
Post process failed