* [PATCH] fedora: Refresh SELinux labels in scriptlets, require -selinux package
@ 2023-03-16 19:57 Stefano Brivio
0 siblings, 0 replies; only message in thread
From: Stefano Brivio @ 2023-03-16 19:57 UTC (permalink / raw)
To: passt-dev
Instead of:
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
follow this:
https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy
which seems to make more sense and fixes the issue that, on a fresh
install, without a reboot, the file contexts for the binaries are not
actually updated.
In detail:
- labels are refreshed using the selinux_relabel_pre and
selinux_relabel_post on install, upgrade, and uninstall
- use the selinux_modules_install and selinux_modules_uninstall
macros, instead of calling 'semodule' directly (no functional
changes in our case)
- require the -selinux package on SELinux-enabled environments and if
the current system policy is "targeted"
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/fedora/passt.spec | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 51cad90..f6aa117 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -8,6 +8,7 @@
# Author: Stefano Brivio <sbrivio@redhat.com>
%global git_hash {{{ git_head }}}
+%global selinuxtype targeted
Name: passt
Version: {{{ git_version }}}
@@ -19,6 +20,7 @@ URL: https://passt.top/
Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
BuildRequires: gcc, make, checkpolicy, selinux-policy-devel
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%description
passt implements a translation layer between a Layer-2 network interface and
@@ -66,13 +68,21 @@ install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/p
install -p -m 644 -D pasta.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/pasta.if
popd
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
%post selinux
-semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || :
-semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || :
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} passt
+ %selinux_modules_uninstall -s %{selinuxtype} pasta
+fi
-%preun selinux
-semodule -r passt 2>/dev/null || :
-semodule -r pasta 2>/dev/null || :
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
%files
%license LICENSES/{AGPL-3.0-or-later.txt,BSD-3-Clause.txt}
--
@@ -8,6 +8,7 @@
# Author: Stefano Brivio <sbrivio@redhat.com>
%global git_hash {{{ git_head }}}
+%global selinuxtype targeted
Name: passt
Version: {{{ git_version }}}
@@ -19,6 +20,7 @@ URL: https://passt.top/
Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
BuildRequires: gcc, make, checkpolicy, selinux-policy-devel
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%description
passt implements a translation layer between a Layer-2 network interface and
@@ -66,13 +68,21 @@ install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/p
install -p -m 644 -D pasta.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/pasta.if
popd
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
%post selinux
-semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || :
-semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || :
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} passt
+ %selinux_modules_uninstall -s %{selinuxtype} pasta
+fi
-%preun selinux
-semodule -r passt 2>/dev/null || :
-semodule -r pasta 2>/dev/null || :
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
%files
%license LICENSES/{AGPL-3.0-or-later.txt,BSD-3-Clause.txt}
--
2.39.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-16 19:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 19:57 [PATCH] fedora: Refresh SELinux labels in scriptlets, require -selinux package Stefano Brivio
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).