| Message ID | 20230529161702.1920540-1-vmojzis@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | python/sepolicy: Add/remove user even when SELinux is disabled | expand |
Vit Mojzis <vmojzis@redhat.com> writes: > Use "semanage user -a/-d" in spec file generated by "sepolicy generate" > even when SELinux is disabled. The command works properly when SELinux > is disabled and with this change the user will be present once SELinux > is re-enabled. > Also, do not execute the command when the package is updated, only when > it is first installed. > > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> > --- > python/sepolicy/sepolicy/templates/spec.py | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py > index 16a22081..433c298a 100644 > --- a/python/sepolicy/sepolicy/templates/spec.py > +++ b/python/sepolicy/sepolicy/templates/spec.py > @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI > > %post > semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp > +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates) > +if [ $1 -eq 1 ]; then > + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u > +fi > if /usr/sbin/selinuxenabled ; then > /usr/sbin/load_policy > %relabel_files > - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u > fi; > exit 0 > > %postun > if [ $1 -eq 0 ]; then > + /usr/sbin/semanage user -d DOMAINNAME_u > semodule -n -r MODULENAME > if /usr/sbin/selinuxenabled ; then > /usr/sbin/load_policy > %relabel_files > - /usr/sbin/semanage user -d DOMAINNAME_u > fi; > fi; > exit 0 > -- > 2.40.0
Petr Lautrbach <lautrbach@redhat.com> writes: > Vit Mojzis <vmojzis@redhat.com> writes: > >> Use "semanage user -a/-d" in spec file generated by "sepolicy generate" >> even when SELinux is disabled. The command works properly when SELinux >> is disabled and with this change the user will be present once SELinux >> is re-enabled. >> Also, do not execute the command when the package is updated, only when >> it is first installed. >> >> Signed-off-by: Vit Mojzis <vmojzis@redhat.com> > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> merged, thanks! > >> --- >> python/sepolicy/sepolicy/templates/spec.py | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py >> index 16a22081..433c298a 100644 >> --- a/python/sepolicy/sepolicy/templates/spec.py >> +++ b/python/sepolicy/sepolicy/templates/spec.py >> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI >> >> %post >> semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp >> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates) >> +if [ $1 -eq 1 ]; then >> + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u >> +fi >> if /usr/sbin/selinuxenabled ; then >> /usr/sbin/load_policy >> %relabel_files >> - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u >> fi; >> exit 0 >> >> %postun >> if [ $1 -eq 0 ]; then >> + /usr/sbin/semanage user -d DOMAINNAME_u >> semodule -n -r MODULENAME >> if /usr/sbin/selinuxenabled ; then >> /usr/sbin/load_policy >> %relabel_files >> - /usr/sbin/semanage user -d DOMAINNAME_u >> fi; >> fi; >> exit 0 >> -- >> 2.40.0
diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py index 16a22081..433c298a 100644 --- a/python/sepolicy/sepolicy/templates/spec.py +++ b/python/sepolicy/sepolicy/templates/spec.py @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI %post semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates) +if [ $1 -eq 1 ]; then + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u +fi if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %relabel_files - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u fi; exit 0 %postun if [ $1 -eq 0 ]; then + /usr/sbin/semanage user -d DOMAINNAME_u semodule -n -r MODULENAME if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %relabel_files - /usr/sbin/semanage user -d DOMAINNAME_u fi; fi; exit 0
Use "semanage user -a/-d" in spec file generated by "sepolicy generate" even when SELinux is disabled. The command works properly when SELinux is disabled and with this change the user will be present once SELinux is re-enabled. Also, do not execute the command when the package is updated, only when it is first installed. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- python/sepolicy/sepolicy/templates/spec.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)