On Fri, 2015-07-17 at 00:13 +0000, bcl wrote:

From: "Brian C. Lane" bcl@redhat.com

In order for selinux to properly label the system it needs to see that the config file exists.

Also remove the old code trying to copy in a selinux config file, it never worked -- the removepkg would remove it.

---

share/runtime-cleanup.tmpl | 5 +++++ share/runtime-postinstall.tmpl | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/share/runtime-cleanup.tmpl b/share/runtime-cleanup.tmpl index 1dc720c..8869656 100644 --- a/share/runtime-cleanup.tmpl +++ b/share/runtime-cleanup.tmpl @@ -26,6 +26,11 @@ removefrom dracut --allbut /usr/lib/dracut/modules.d/30convertfs/convertfs.sh \ /usr/lib/dracut/dracut-initramfs-restore ## we don't run SELinux (not in enforcing, anyway) removepkg checkpolicy selinux-policy libselinux-utils

+## selinux checks for the /etc/selinux/config file's existance +## The removepkg above removes it, create an empty one. See rhbz#1243168 +append etc/selinux/config ""

## anaconda has its own repo files removefrom fedora-release --allbut /etc/os-release /usr/lib/os -release \ /usr/lib/os.release.d/* diff --git a/share/runtime-postinstall.tmpl b/share/runtime -postinstall.tmpl index 83373bf..7c6ec4e 100644 --- a/share/runtime-postinstall.tmpl +++ b/share/runtime-postinstall.tmpl @@ -61,9 +61,6 @@ install ${configdir}/sysctl.conf etc/sysctl.d/anaconda.conf install ${configdir}/spice-vdagentd etc/sysconfig mkdir etc/NetworkManager/conf.d install ${configdir}/91-anaconda-autoconnect-slaves.conf etc/NetworkManager/conf.d -%if exists(root+"/etc/selinux/targeted"):

• install ${configdir}/selinux.config etc/selinux/config

-%endif

## set up sshd install ${configdir}/sshd_config.anaconda etc/ssh

As the one who figured out the problem here, this looks good to me, it's pretty much exactly what I had in mind. Yes, it's a bit silly that libselinux simply checks whether the file exists (so a completely empty file fools it), but that is definitely what it does, I checked that.