| |
@@ -29,7 +29,7 @@
|
| |
Summary: SELinux policy configuration
|
| |
Name: selinux-policy
|
| |
Version: 3.14.5
|
| |
- Release: 3%{?dist}
|
| |
+ Release: 4%{?dist}
|
| |
License: GPLv2+
|
| |
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
| |
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
| |
@@ -270,7 +270,9 @@
|
| |
%nil
|
| |
|
| |
%define relabel() \
|
| |
- . %{_sysconfdir}/selinux/config; \
|
| |
+ if [ -e %{_sysconfdir}/selinux/config ]; then \
|
| |
+ . %{_sysconfdir}/selinux/config; \
|
| |
+ fi; \
|
| |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
| |
/usr/sbin/selinuxenabled; \
|
| |
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
| |
@@ -286,7 +288,9 @@
|
| |
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \
|
| |
%{_sbindir}/semodule -n -d ganesha; \
|
| |
fi; \
|
| |
- . %{_sysconfdir}/selinux/config; \
|
| |
+ if [ -e %{_sysconfdir}/selinux/config ]; then \
|
| |
+ . %{_sysconfdir}/selinux/config; \
|
| |
+ fi; \
|
| |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
| |
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
| |
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
| |
@@ -303,7 +307,9 @@
|
| |
fi;
|
| |
|
| |
%define postInstall() \
|
| |
- . %{_sysconfdir}/selinux/config; \
|
| |
+ if [ -e %{_sysconfdir}/selinux/config ]; then \
|
| |
+ . %{_sysconfdir}/selinux/config; \
|
| |
+ fi; \
|
| |
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
| |
rm /etc/selinux/%2/.rebuild; \
|
| |
/usr/sbin/semodule -B -n -s %2; \
|
| |
@@ -569,7 +575,7 @@
|
| |
|
| |
%postun targeted
|
| |
if [ $1 = 0 ]; then
|
| |
- source /etc/selinux/config
|
| |
+ [ -e /etc/selinux/config ] && source /etc/selinux/config
|
| |
if [ "$SELINUXTYPE" = "targeted" ]; then
|
| |
setenforce 0 2> /dev/null
|
| |
if [ ! -s /etc/selinux/config ]; then
|
| |
@@ -679,7 +685,7 @@
|
| |
|
| |
%postun minimum
|
| |
if [ $1 = 0 ]; then
|
| |
- source /etc/selinux/config
|
| |
+ [ -e /etc/selinux/config ] && source /etc/selinux/config
|
| |
if [ "$SELINUXTYPE" = "minimum" ]; then
|
| |
setenforce 0 2> /dev/null
|
| |
if [ ! -s /etc/selinux/config ]; then
|
| |
@@ -750,7 +756,7 @@
|
| |
|
| |
%postun mls
|
| |
if [ $1 = 0 ]; then
|
| |
- source /etc/selinux/config
|
| |
+ [ -e /etc/selinux/config ] && source /etc/selinux/config
|
| |
if [ "$SELINUXTYPE" = "mls" ]; then
|
| |
setenforce 0 2> /dev/null
|
| |
if [ ! -s /etc/selinux/config ]; then
|
| |
@@ -787,6 +793,9 @@
|
| |
%endif
|
| |
|
| |
%changelog
|
| |
+ * Wed Sep 18 2019 Terje Rosten <terje.rosten@ntnu.no> - 3.14.5-4
|
| |
+ - Add patch to reduce impact of rhbz#1723940
|
| |
+
|
| |
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
|
| |
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
|
| |
- Allow gssproxy_t domain read state of all processes on system
|
| |
terjeros
commented 4 years ago
for this problem.
Protection is required as a failure in scriptlet will cause havoc in a
(possibly) large package set transaction (during e.g. initial
install).
[1]: /etc/selinux/config is not shipped as a normal file, it's created
by selinux-policy %post scriptlet. There no way for other packages to
make sure their post scriptlets is run before selinux-policy post
scriptlets is done executing. If selinux-policy is large and slow,
creation of required file will be after other packages scripts needs
it. With current design it's not possible to handle race condition
without protection added here.
"Solution" here is a just stop gap to reduce impact.