All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled
@ 2023-05-29 16:17 Vit Mojzis
  2023-06-22  9:43 ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Vit Mojzis @ 2023-05-29 16:17 UTC (permalink / raw)
  To: selinux

Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
even when SELinux is disabled. The command works properly when SELinux
is disabled and with this change the user will be present once SELinux
is re-enabled.
Also, do not execute the command when the package is updated, only when
it is first installed.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
index 16a22081..433c298a 100644
--- a/python/sepolicy/sepolicy/templates/spec.py
+++ b/python/sepolicy/sepolicy/templates/spec.py
@@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
 
 %post
 semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
+# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
+if [ $1 -eq 1 ]; then
+    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
+fi
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
     %relabel_files
-    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
 fi;
 exit 0
 
 %postun
 if [ $1 -eq 0 ]; then
+    /usr/sbin/semanage user -d DOMAINNAME_u
     semodule -n -r MODULENAME
     if /usr/sbin/selinuxenabled ; then
        /usr/sbin/load_policy
        %relabel_files
-       /usr/sbin/semanage user -d DOMAINNAME_u
     fi;
 fi;
 exit 0
-- 
2.40.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled
  2023-05-29 16:17 [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled Vit Mojzis
@ 2023-06-22  9:43 ` Petr Lautrbach
  2023-06-27 14:04   ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2023-06-22  9:43 UTC (permalink / raw)
  To: Vit Mojzis, selinux

Vit Mojzis <vmojzis@redhat.com> writes:

> Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
> even when SELinux is disabled. The command works properly when SELinux
> is disabled and with this change the user will be present once SELinux
> is re-enabled.
> Also, do not execute the command when the package is updated, only when
> it is first installed.
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>

Acked-by: Petr Lautrbach <lautrbach@redhat.com>


> ---
>  python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
> index 16a22081..433c298a 100644
> --- a/python/sepolicy/sepolicy/templates/spec.py
> +++ b/python/sepolicy/sepolicy/templates/spec.py
> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
>  
>  %post
>  semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
> +if [ $1 -eq 1 ]; then
> +    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
> +fi
>  if /usr/sbin/selinuxenabled ; then
>      /usr/sbin/load_policy
>      %relabel_files
> -    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>  fi;
>  exit 0
>  
>  %postun
>  if [ $1 -eq 0 ]; then
> +    /usr/sbin/semanage user -d DOMAINNAME_u
>      semodule -n -r MODULENAME
>      if /usr/sbin/selinuxenabled ; then
>         /usr/sbin/load_policy
>         %relabel_files
> -       /usr/sbin/semanage user -d DOMAINNAME_u
>      fi;
>  fi;
>  exit 0
> -- 
> 2.40.0


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled
  2023-06-22  9:43 ` Petr Lautrbach
@ 2023-06-27 14:04   ` Petr Lautrbach
  0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2023-06-27 14:04 UTC (permalink / raw)
  To: Vit Mojzis, selinux

Petr Lautrbach <lautrbach@redhat.com> writes:

> Vit Mojzis <vmojzis@redhat.com> writes:
>
>> Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
>> even when SELinux is disabled. The command works properly when SELinux
>> is disabled and with this change the user will be present once SELinux
>> is re-enabled.
>> Also, do not execute the command when the package is updated, only when
>> it is first installed.
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>

merged, thanks!


>
>> ---
>>  python/sepolicy/sepolicy/templates/spec.py | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
>> index 16a22081..433c298a 100644
>> --- a/python/sepolicy/sepolicy/templates/spec.py
>> +++ b/python/sepolicy/sepolicy/templates/spec.py
>> @@ -43,20 +43,23 @@ install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAI
>>  
>>  %post
>>  semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
>> +# Add the new user defined in DOMAINNAME_u only when the package is installed (not during updates)
>> +if [ $1 -eq 1 ]; then
>> +    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>> +fi
>>  if /usr/sbin/selinuxenabled ; then
>>      /usr/sbin/load_policy
>>      %relabel_files
>> -    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
>>  fi;
>>  exit 0
>>  
>>  %postun
>>  if [ $1 -eq 0 ]; then
>> +    /usr/sbin/semanage user -d DOMAINNAME_u
>>      semodule -n -r MODULENAME
>>      if /usr/sbin/selinuxenabled ; then
>>         /usr/sbin/load_policy
>>         %relabel_files
>> -       /usr/sbin/semanage user -d DOMAINNAME_u
>>      fi;
>>  fi;
>>  exit 0
>> -- 
>> 2.40.0


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-27 14:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-29 16:17 [PATCH] python/sepolicy: Add/remove user even when SELinux is disabled Vit Mojzis
2023-06-22  9:43 ` Petr Lautrbach
2023-06-27 14:04   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.