From 1297d60bc4d12c33bc0d54ddc2aec47c2f4bad36 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: May 06 2024 15:49:45 +0000 Subject: Update rpm configuration for the /var/run equivalency change Various updating and installing scenarios are now supported: - using rpm triggers for other packages in selinux-policy - inside the selinux_modules_install and selinux_modules_uninstall rpm macros when selinux subpackages are being built --- diff --git a/rpm.macros b/rpm.macros index f63f5fe..dcab018 100644 --- a/rpm.macros +++ b/rpm.macros @@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \ %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \ fi \ %{nil} @@ -71,8 +73,10 @@ if [ -z "${_policytype}" ]; then \ fi \ if [ $1 -eq 0 ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \ %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \ fi \ fi \ %{nil} diff --git a/selinux-policy.spec b/selinux-policy.spec index 595d313..ba30725 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -24,7 +24,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.18 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -407,6 +407,17 @@ if posix.stat(config_file) then \ bf:close() \ end +# Remove the local_varrun SELinux module +%define removeVarrunModule() \ +if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \ + %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +fi; + +%define removeVarrunModuleLua() \ +if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ + os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ +end + %build %prep @@ -580,6 +591,7 @@ SELinux targeted policy package. %pretrans targeted -p %backupConfigLua +%removeVarrunModuleLua targeted %pre targeted %preInstall targeted @@ -615,10 +627,34 @@ exit 0 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB exit 0 +%triggerprein -- container-selinux +%removeVarrunModule targeted +exit 0 + +%triggerprein -- pcp-selinux +%removeVarrunModule targeted +exit 0 + +%triggerpostin -- container-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostin -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + %triggerpostun -- selinux-policy-targeted < 3.12.1-74 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null exit 0 +%triggerpostun -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun -- container-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 CR=$'\n' INPUT="" @@ -824,6 +860,9 @@ exit 0 %endif %changelog +* Mon May 06 2024 Zdenek Pytela - 40.18-2 +- Update rpm configuration for the /var/run equivalency change + * Mon May 06 2024 Zdenek Pytela - 40.18-1 - Allow virtqemud read vfio devices - Allow virtqemud get attributes of a tmpfs filesystem