[ovs-dev,v3,6/6] rhel: selinux-policy to invoke proper label macros

Message ID 20180601182849.12984-7-aconole@redhat.com
State Accepted
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole June 1, 2018, 6:28 p.m.
The rpm doesn't invoke all of the required selinux helpers to enact labeling
or relabeling on all versions of Fedora/RHEL.  According to:
  https://fedoraproject.org/wiki/SELinux/IndependentPolicy

This commit switches to use the selinux rpm macros which will ensure that
all of the labels defined in the .fc.in file are applied properly.

Acked-by: Ansis Atteka <attekka@ovn.org>
Acked-By: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 rhel/openvswitch-fedora.spec.in | 10 ++++++++--
 rhel/openvswitch.spec.in        | 10 ++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

Patch

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 151a1aa85..81cf3a2d5 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -341,6 +341,9 @@  rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%pre selinux-policy
+%selinux_relabel_pre -s targeted
+
 %preun
 %if 0%{?systemd_preun:1}
     %systemd_preun %{name}.service
@@ -451,7 +454,7 @@  fi
 %endif
 
 %post selinux-policy
-/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 
 %postun
 %if 0%{?systemd_postun:1}
@@ -483,9 +486,12 @@  fi
 
 %postun selinux-policy
 if [ $1 -eq 0 ] ; then
-  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+  %selinux_modules_uninstall -s targeted openvswitch-custom
 fi
 
+%posttrans selinux-policy
+%selinux_relabel_post -s targeted
+
 %files selinux-policy
 %defattr(-,root,root)
 %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in
index 883d25607..9dca3873b 100644
--- a/rhel/openvswitch.spec.in
+++ b/rhel/openvswitch.spec.in
@@ -169,8 +169,11 @@  fi
 /sbin/chkconfig --add openvswitch
 /sbin/chkconfig openvswitch on
 
+%pre selinux-policy
+%selinux_relabel_pre -s targeted
+
 %post selinux-policy
-/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 
 %preun
 if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
@@ -187,11 +190,14 @@  fi
 
 %postun selinux-policy
 if [ $1 -eq 0 ] ; then
-  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+  %selinux_modules_uninstall -s targeted openvswitch-custom
 fi
 
 exit 0
 
+%posttrans selinux-policy
+%selinux_relabel_post -s targeted
+
 %files
 %defattr(-,root,root)
 %dir /etc/openvswitch