From: Petr Lautrbach <lautrbach@redhat.com>
To: Vit Mojzis <vmojzis@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled
Date: Tue, 27 Jun 2023 16:04:22 +0200 [thread overview]
Message-ID: <87y1k50zo9.fsf@redhat.com> (raw)
In-Reply-To: <87r0q36dd1.fsf@redhat.com>
Petr Lautrbach <lautrbach@redhat.com> writes:
> Vit Mojzis <vmojzis@redhat.com> writes:
>
>> Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
>> even when SELinux is disabled. The command works properly when SELinux
>> is disabled and with this change the user will be present once SELinux
>> is re-enabled.
>> Also, do not execute the command when the package is updated, only when
>> it is first installed.
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
merged, thanks!
>
>> ---
>> python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
>> index 16a22081..433c298a 100644
>> --- a/python/sepolicy/sepolicy/templates/spec.py
>> +++ b/python/sepolicy/sepolicy/templates/spec.py
>> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
>>
>> %post
>> semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
>> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
>> +if [ $1 -eq 1 ]; then
>> + /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>> +fi
>> if /usr/sbin/selinuxenabled ; then
>> /usr/sbin/load_policy
>> %relabel_files
>> - /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>> fi;
>> exit 0
>>
>> %postun
>> if [ $1 -eq 0 ]; then
>> + /usr/sbin/semanage user -d DOMAINNAME_u
>> semodule -n -r MODULENAME
>> if /usr/sbin/selinuxenabled ; then
>> /usr/sbin/load_policy
>> %relabel_files
>> - /usr/sbin/semanage user -d DOMAINNAME_u
>> fi;
>> fi;
>> exit 0
>> --
>> 2.40.0
prev parent reply other threads:[~2023-06-27 14:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-29 16:17 [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled Vit Mojzis
2023-06-22 9:43 ` Petr Lautrbach
2023-06-27 14:04 ` Petr Lautrbach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1k50zo9.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=vmojzis@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.