Daniel J Walsh wrote:
Paul Howarth wrote:
*** post-install scriptlet installs policy modules and fixes contexts:
%if %{selinux_module}
%post
# Install SELinux policy modules
if [ -x /usr/sbin/semodule ]; then
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/contagged.pp \
&> /dev/null || :
done
fi
Does this fail silently if the policy package is not installed?
I believe semodule will output "semodule: SELinux policy is not managed
or store cannot be accessed.", hence the redirection of all output to
/dev/null and the "|| :" to ignore the semodule exit code.
# Fix up non-standard directory context
[ -x /sbin/restorecon ] && /sbin/restorecon \
%{_localstatedir}/cache/contagged || :
%endif
*** pre-uninstall script removes policy modules (and removes app's
cache, not SELinux-related)):
%postun
# Clean up after package removal
if [ $1 -eq 0 ]; then
# Clean out the cache
%{__rm} -f %{_localstatedir}/cache/contagged/*.tpl.php
/bin/rmdir %{_localstatedir}/cache/contagged &> /dev/null || :
%if %{selinux_module}
# Remove SELinux policy modules
if [ -x /usr/sbin/semodule ]; then
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -r contagged || :
done
fi
You might need to fixup contexts here also, if you leave anything behind.
Good point. So in this case I'd need:
/sbin/restorecon -Rh %{_localstatedir}/cache/contagged || :
Dan also comments in #190561 that "ou only need to install it with
semodule, you do not need to intall the pp file"; I don't get this, as
how will semodule be able to access the .pp file if it isn't installed
with the package...
Sorry you are right. The only thing is you should not put the pp file
in /usr/share/selinux/VARIANT, as the current policy package does a
semodule -i of all pp files in that directory. (Which I should really
change) So if someone does a semodule -r later, the policy upgrade will
reinstall.
Ah, I saw the clamav.pp in there and assumed it was from an Extras
package but it's not. There probably needs to be a separate hierarchy
for package modules then, perhaps:
/usr/share/selinux/packages/VARIANT/
and the .pp files go in there. And if it's the same .pp file for all
variants, it would go in /usr/share/selinux/packages/share/ instead.
My point about the pp file, is that you do not need to leave it on disk
or even use it again after it has been installed. As a matter of fact
semodule copies the pp file to
/etc/selinux/VARIANT/modules/active/modules/
From a package management point of view, it's probably best (and
certainly easiest) to just install it as a regular file and then it'll
get removed if the package is removed. It's not as if it's saving a huge
amount of disk space.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
