Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
even when SELinux is disabled. The command works properly when SELinux
is disabled and with this change the user will be present once SELinux
is re-enabled.
Also, do not execute the command when the package is updated, only when
it is first installed.
Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
---
python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
index 16a22081..433c298a 100644
--- a/python/sepolicy/sepolicy/templates/spec.py
+++ b/python/sepolicy/sepolicy/templates/spec.py
@@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
%post
semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
+# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
+if [ $1 -eq 1 ]; then
+ /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
+fi
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
- /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
fi;
exit 0
%postun
if [ $1 -eq 0 ]; then
+ /usr/sbin/semanage user -d DOMAINNAME_u
semodule -n -r MODULENAME
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
- /usr/sbin/semanage user -d DOMAINNAME_u
fi;
fi;
exit 0
--
2.40.0
