On 09/05/2014 12:06 AM, Dustin C. Hatch wrote:
On 09/02/2014 03:08 PM, Daniel J Walsh wrote:
On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:

I have a SELinux module that I've packaged following the SELinux Policy
Modules Packaging Draft[1] on the Fedora wiki. This module is fairly
simple and just adjusts the contexts of some files. The package works
well, and automatically activates the module and fixes file labels when
it is installed on the running machine using Yum. Unfortunately, it does
not work as smoothly if it is installed during initial setup by
Anaconda. In this case, the module is available but not activated
automatically; I have to manually run `semodule -i …` and `restorecon`
on the first boot.

Is there a recommended way to automatically activate a module that was
installed from an additional package by Anaconda?

Any ideas or pointers would be greatly appreciated.

[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

Where are you running semodule -i in your spec file?
In the %post scriptlet[1]:

for v in %{selinux_variants}; do
	/usr/sbin/semodule -s $v \
		-i %{_datadir}/selinux/$v/%{semodule_name}.pp >&- 2>&- || :
/sbin/restorecon -R %{basedir} || :

I changed the output redirection to send to a log, and I see this error

/usr/sbin/semodule: SELinux policy is not managed or store cannot be


I would go with

%define selinuxtype	targeted
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp

if %{_sbindir}/selinuxenabled ; then