This new name of the option makes it clear that the conditional only affects policy installation, not building of selinux support more generally. The prefix on the module name avoids risk of clashing with other variables. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- libvirt.spec.in | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 37f8a218e6..bb693b58bf 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -187,9 +187,10 @@ %define with_modular_daemons 1 %endif +%define with_selinux_policy 0 +%global selinux_modulename virt %if 0%{?fedora} > 34 || 0%{?rhel} > 8 - %global with_selinux 1 - %global modulename virt + %global with_selinux_policy 1 %endif # Force QEMU to run as non-root @@ -433,7 +434,7 @@ Requires(pre): shadow-utils # Needed by /usr/libexec/libvirt-guests.sh script. Requires: gettext -%if 0%{?with_selinux} +%if 0%{?with_selinux_policy} # This ensures that the *-selinux package and all it’s dependencies are not pulled # into containers and other systems that do not use SELinux Requires: (%{name}-daemon-selinux if selinux-policy-base) @@ -942,7 +943,7 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release} %description nss Libvirt plugin for NSS for translating domain names into IP addresses. -%if 0%{?with_selinux} +%if 0%{?with_selinux_policy} # SELinux subpackage %package daemon-selinux Summary: Libvirt daemon SELinux policy @@ -1628,7 +1629,7 @@ getent group virtlogin >/dev/null || groupadd -r virtlogin exit 0 %endif -%if 0%{?with_selinux} +%if 0%{?with_selinux_policy} # SELinux contexts are saved so that only affected files can be # relabeled after the policy module installation %pre daemon-selinux @@ -1655,33 +1656,33 @@ fi # install the policy module to corresponding policy store if # selinux-policy-{targeted|mls|minimum} package is installed on the system %triggerin -n %{name}-daemon-selinux -- selinux-policy-targeted -/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || : +/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{selinux_modulename}.pp.bz2 || : %triggerin -n %{name}-daemon-selinux -- selinux-policy-minimum -/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || : +/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{selinux_modulename}.pp.bz2 || : # libvirt module is installed by default, but disabled -- enable it -/usr/sbin/semodule -n -s minimum -e %{modulename} || : +/usr/sbin/semodule -n -s minimum -e %{selinux_modulename} || : %triggerin -n %{name}-daemon-selinux -- selinux-policy-mls -/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || : +/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{selinux_modulename}.pp.bz2 || : # remove the policy module from corresponding module store if # libvirt-selinux or selinux-policy-* was removed from the system, # but not when either package gets updated %triggerun -n %{name}-daemon-selinux -- selinux-policy-targeted -if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then - /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || : +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{selinux_modulename} ]; then + /usr/sbin/semodule -n -s targeted -X 200 -r %{selinux_modulename} || : fi %triggerun -n %{name}-daemon-selinux -- selinux-policy-minimum -if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then - /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || : - /usr/sbin/semodule -n -d %{modulename} || : +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{selinux_modulename} ]; then + /usr/sbin/semodule -n -s minimum -X 200 -r %{selinux_modulename} || : + /usr/sbin/semodule -n -d %{selinux_modulename} || : fi %triggerun -n %{name}-daemon-selinux -- selinux-policy-mls -if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then - /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || : +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{selinux_modulename} ]; then + /usr/sbin/semodule -n -s mls -X 200 -r %{selinux_modulename} || : fi %endif @@ -2145,14 +2146,14 @@ fi %{_datadir}/libvirt/api/libvirt-qemu-api.xml %{_datadir}/libvirt/api/libvirt-lxc-api.xml -%if 0%{?with_selinux} +%if 0%{?with_selinux_policy} %files daemon-selinux -%{_datadir}/selinux/packages/%{modulename}.pp.* -%{_datadir}/selinux/packages/mls/%{modulename}.pp.* -%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} -%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} -%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} -%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%{_datadir}/selinux/packages/%{selinux_modulename}.pp.* +%{_datadir}/selinux/packages/mls/%{selinux_modulename}.pp.* +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/200/%{selinux_modulename} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/minimum/active/modules/200/%{selinux_modulename} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/mls/active/modules/200/%{selinux_modulename} +%{_datadir}/selinux/devel/include/distributed/%{selinux_modulename}.if %endif -- 2.31.1