Petr Lautrbach <lautrbach@xxxxxxxxxx> writes:
> Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
>
>> Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
>> even when SELinux is disabled. The command works properly when SELinux
>> is disabled and with this change the user will be present once SELinux
>> is re-enabled.
>> Also, do not execute the command when the package is updated, only when
>> it is first installed.
>>
>> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
>
> Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx>
merged, thanks!
>
>> ---
>> python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
>> index 16a22081..433c298a 100644
>> --- a/python/sepolicy/sepolicy/templates/spec.py
>> +++ b/python/sepolicy/sepolicy/templates/spec.py
>> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
>>
>> %post
>> semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
>> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
>> +if [ $1 -eq 1 ]; then
>> + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>> +fi
>> if /usr/sbin/selinuxenabled ; then
>> /usr/sbin/load_policy
>> %relabel_files
>> - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>> fi;
>> exit 0
>>
>> %postun
>> if [ $1 -eq 0 ]; then
>> + /usr/sbin/semanage user -d DOMAINNAME_u
>> semodule -n -r MODULENAME
>> if /usr/sbin/selinuxenabled ; then
>> /usr/sbin/load_policy
>> %relabel_files
>> - /usr/sbin/semanage user -d DOMAINNAME_u
>> fi;
>> fi;
>> exit 0
>> --
>> 2.40.0
