From patchwork Mon May 29 16:17:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 13258773 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50072C77B7A for ; Mon, 29 May 2023 16:18:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229551AbjE2QSF (ORCPT ); Mon, 29 May 2023 12:18:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229486AbjE2QSD (ORCPT ); Mon, 29 May 2023 12:18:03 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E85B4BE for ; Mon, 29 May 2023 09:17:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685377034; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Nd++fIaXD+2Rv1UVAccR801JwRsbfugnBa7t9MSJA7g=; b=Irm/6KpDPGFeopKq2dCozabKdcM2BDkD6NGq0n3E9xwFUv18DRoX2Tg5YLjloQDz8A2BbF 8/eS2jv5SQf+f3jMU+OSXRvtPGlHaz3Linpq/0KGqWMI1eiQIMJZBt0rtZJbsEXPifdCBO 80B8QhSCSphOLFOd4hukshH2EUlPFZc= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-589-ALAqaRSLN7SBVuRBhHrpJA-1; Mon, 29 May 2023 12:17:07 -0400 X-MC-Unique: ALAqaRSLN7SBVuRBhHrpJA-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BC2EB101A53A for ; Mon, 29 May 2023 16:17:06 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.225.101]) by smtp.corp.redhat.com (Postfix) with ESMTP id 571F048205E for ; Mon, 29 May 2023 16:17:06 +0000 (UTC) From: Vit Mojzis To: selinux@vger.kernel.org Subject: [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled Date: Mon, 29 May 2023 18:17:02 +0200 Message-Id: <20230529161702.1920540-1-vmojzis@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Use "semanage user -a/-d" in spec file generated by "sepolicy generate" even when SELinux is disabled. The command works properly when SELinux is disabled and with this change the user will be present once SELinux is re-enabled. Also, do not execute the command when the package is updated, only when it is first installed. Signed-off-by: Vit Mojzis Acked-by: Petr Lautrbach --- python/sepolicy/sepolicy/templates/spec.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py index 16a22081..433c298a 100644 --- a/python/sepolicy/sepolicy/templates/spec.py +++ b/python/sepolicy/sepolicy/templates/spec.py @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI %post semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates) +if [ $1 -eq 1 ]; then + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u +fi if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %relabel_files - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u fi; exit 0 %postun if [ $1 -eq 0 ]; then + /usr/sbin/semanage user -d DOMAINNAME_u semodule -n -r MODULENAME if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %relabel_files - /usr/sbin/semanage user -d DOMAINNAME_u fi; fi; exit 0