Accepting request 1198764 from security:SELinux

- Fix macros.selinux-policy (bsc#1229132) - %selinux_modules_install and %selinux_modules_uninstall will now only execute load_policy if $TRANSACTIONAL_UPDATE is not set (aka only if they are not in a transactional system) - $TRANSACTIONAL_UPDATE is set here: bd524d3ddf/lib/Transaction.cpp (L428) - Disable build of the MLS policy. We currently don't know if it works and don't want to encourage users to apply it OBS-URL: https://build.opensuse.org/request/show/1198764 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=77
2024-09-05 13:46:23 +00:00 · 2024-09-05 13:46:23 +00:00 · b2a6a4d472
commit b2a6a4d472
parent 7f06e6d1b3 3d27365c20
3 changed files with 30 additions and 3 deletions
--- a/macros.selinux-policy
+++ b/macros.selinux-policy
@ -60,7 +60,11 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  if %{_sbindir}/selinuxenabled; then \
+    if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
+      %{_sbindir}/load_policy || : \
+    fi \
+  fi \
 fi \
 %{nil}

@ -76,7 +80,11 @@ fi \
 if [ $1 -eq 0 ]; then \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    if %{_sbindir}/selinuxenabled; then \
+      if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
+        %{_sbindir}/load_policy || : \
+      fi \
+    fi \
  fi \
 fi \
 %{nil}
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Sep  4 13:07:52 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix macros.selinux-policy (bsc#1229132)
+  - %selinux_modules_install and %selinux_modules_uninstall will
+    now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
+    (aka only if they are not in a transactional system)
+  - $TRANSACTIONAL_UPDATE is set here:
+    https://github.com/openSUSE/transactional-update/blob/bd524d3ddfcd9aeebb7b90d3e0e8eed09b796a86/lib/Transaction.cpp#L428
+
+-------------------------------------------------------------------
+Tue Sep  3 09:45:12 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
+
+- Disable build of the MLS policy. We currently don't know if it works
+  and don't want to encourage users to apply it
+
 -------------------------------------------------------------------
 Tue Sep 03 07:57:18 UTC 2024 - cathy.hu@suse.com

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -24,7 +24,10 @@
 %define monolithic n
 %define BUILD_TARGETED 1
 %define BUILD_MINIMUM 1
-%define BUILD_MLS 1
+# At the moment we don't build the MLS policy. We didn't do any testing for this and have no
+# confidence that it works. Feel free to branch the package and enable it, but be aware that
+# you're on your own
+%define BUILD_MLS 0

 %define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
 %define CHECKPOLICYVER %POLICYCOREUTILSVER