Daniel J Walsh wrote:
Paul Howarth wrote:
> *** post-install scriptlet installs policy modules and fixes contexts:
>
> %if %{selinux_module}
> %post
> # Install SELinux policy modules
> if [ -x /usr/sbin/semodule ]; then
> for selinuxvariant in %{selinux_variants}
> do
> /usr/sbin/semodule -s ${selinuxvariant} -i \
> %{_datadir}/selinux/${selinuxvariant}/contagged.pp \
> &> /dev/null || :
> done
> fi
Does this fail silently if the policy package is not installed?
I believe semodule will output "semodule: SELinux policy is not managed
or store cannot be accessed.", hence the redirection of all output to
/dev/null and the "|| :" to ignore the semodule exit code.
> # Fix up non-standard directory context
> [ -x /sbin/restorecon ] && /sbin/restorecon \
> %{_localstatedir}/cache/contagged || :
> %endif
>
>
> *** pre-uninstall script removes policy modules (and removes app's
> cache, not SELinux-related)):
>
> %postun
> # Clean up after package removal
> if [ $1 -eq 0 ]; then
> # Clean out the cache
> %{__rm} -f %{_localstatedir}/cache/contagged/*.tpl.php
> /bin/rmdir %{_localstatedir}/cache/contagged &> /dev/null || :
> %if %{selinux_module}
> # Remove SELinux policy modules
> if [ -x /usr/sbin/semodule ]; then
> for selinuxvariant in %{selinux_variants}
> do
> /usr/sbin/semodule -s ${selinuxvariant} -r contagged || :
> done
> fi
You might need to fixup contexts here also, if you leave anything behind.
Good point. So in this case I'd need:
/sbin/restorecon -Rh %{_localstatedir}/cache/contagged || :
> Dan also comments in #190561 that "ou only need to install
it with
> semodule, you do not need to intall the pp file"; I don't get this, as
> how will semodule be able to access the .pp file if it isn't installed
> with the package...
Sorry you are right. The only thing is you should not put the pp file
in /usr/share/selinux/VARIANT, as the current policy package does a
semodule -i of all pp files in that directory. (Which I should really
change) So if someone does a semodule -r later, the policy upgrade will
reinstall.
Ah, I saw the clamav.pp in there and assumed it was from an Extras
package but it's not. There probably needs to be a separate hierarchy
for package modules then, perhaps:
/usr/share/selinux/packages/VARIANT/
and the .pp files go in there. And if it's the same .pp file for all
variants, it would go in /usr/share/selinux/packages/share/ instead.
My point about the pp file, is that you do not need to leave it on
disk
or even use it again after it has been installed. As a matter of fact
semodule copies the pp file to
/etc/selinux/VARIANT/modules/active/modules/
From a package management point of view, it's probably best (and
certainly easiest) to just install it as a regular file and then it'll
get removed if the package is removed. It's not as if it's saving a huge
amount of disk space.
Paul.