Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
> Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
> even when SELinux is disabled. The command works properly when SELinux
> is disabled and with this change the user will be present once SELinux
> is re-enabled.
> Also, do not execute the command when the package is updated, only when
> it is first installed.
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx>
> ---
> python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
> index 16a22081..433c298a 100644
> --- a/python/sepolicy/sepolicy/templates/spec.py
> +++ b/python/sepolicy/sepolicy/templates/spec.py
> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
>
> %post
> semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
> +if [ $1 -eq 1 ]; then
> + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
> +fi
> if /usr/sbin/selinuxenabled ; then
> /usr/sbin/load_policy
> %relabel_files
> - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
> fi;
> exit 0
>
> %postun
> if [ $1 -eq 0 ]; then
> + /usr/sbin/semanage user -d DOMAINNAME_u
> semodule -n -r MODULENAME
> if /usr/sbin/selinuxenabled ; then
> /usr/sbin/load_policy
> %relabel_files
> - /usr/sbin/semanage user -d DOMAINNAME_u
> fi;
> fi;
> exit 0
> --
> 2.40.0
