From 70e6647c92c89bc51306626a2dbc64752d40ffdb Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 27 Feb 2025 14:37:19 +0100 Subject: [PATCH] qm.spec: Fix packaing for other selinux policies The current package hardcodes that post-install it will install the module to the "targeted" policy (but the macro only does this is it is also the active policy). This means if the active policy is something else, such as "automotive", then the qm module is not installed at all, and qm doesn't work. We fix this by always installing the module to the active selinux policy. This is how e.g. container-selinux does it. In addition we remove the hard post-require on selinux-policy-target and replace it with selinux-policy-any, which all selinux policy packages provide. We also add a recommendataion of selinux-policy-targeted, so most people get it. This is also what container-selinux does. Signed-off-by: Alexander Larsson --- rpm/qm.spec | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rpm/qm.spec b/rpm/qm.spec index 71094558..54c95b62 100644 --- a/rpm/qm.spec +++ b/rpm/qm.spec @@ -6,8 +6,7 @@ # Define the feature flag: 1 to enable, 0 to disable # By default it's disabled: 0 -# Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted +# Some bits borrowed from the openstack-selinux and container-selinux packages %global moduletype services %global modulenames qm %global seccomp_json /usr/share/%{modulenames}/seccomp-no-rt.json @@ -68,7 +67,8 @@ Requires: parted Requires: containers-common Requires: selinux-policy >= %_selinux_policy_version Requires(post): selinux-policy-base >= %_selinux_policy_version -Requires(post): selinux-policy-targeted >= %_selinux_policy_version +Requires(post): selinux-policy-any >= %_selinux_policy_version +Recommends: selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires: podman >= %{podman_epoch}:4.5 @@ -104,9 +104,9 @@ install -d %{buildroot}%{_sysconfdir}/containers/containers.conf.d %{__make} DESTDIR=%{buildroot} DATADIR=%{_datadir} install %post -# Install all modules in a single transaction %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%selinux_modules_install -s %{selinuxtype} $MODULES +. %{_sysconfdir}/selinux/config +%selinux_modules_install -s ${SELINUXTYPE} $MODULES # Execute the script to create seccomp rules after the package is installed /usr/share/qm/create-seccomp-rules /usr/share/qm/comment-tz-local # FIX-ME GH-issue: 367 @@ -123,7 +123,8 @@ fi %postun if [ $1 -eq 0 ]; then # This section executes only on package removal, not on upgrade - %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} + . %{_sysconfdir}/selinux/config + %selinux_modules_uninstall -s ${SELINUXTYPE} %{modulenames} if [ -f %{seccomp_json} ]; then /bin/rm -f %{seccomp_json} fi