[Freeipa-devel] [freeipa PR#4422][opened] [Backport][ipa-4-8] selinux: disable ipa_custodia when installing custom policy

Tue, 24 Mar 2020 01:18:46 -0700 

   URL: https://github.com/freeipa/freeipa/pull/4422
Author: abbra
 Title: #4422: [Backport][ipa-4-8] selinux: disable ipa_custodia when 
installing custom policy
Action: opened

PR body:
"""
This PR was opened automatically because PR #4418 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4422/head:pr4422
git checkout pr4422

From 2f46ad9e6ee5b4be64af759a1595ec092c9ec7f5 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmoj...@redhat.com>
Date: Mon, 23 Mar 2020 18:22:41 +0100
Subject: [PATCH] selinux: disable ipa_custodia when installing custom policy

Since ipa_custodia got integrated into ipa policy package, the upstream policy
module needs to be disabled before ipa module installation (in order to be able
to make changes to the ipa_custodia policy definitions).
Upstream ipa module gets overridden automatically because of higher priority of
the custom module, but there is no mechanism to automatically disable
ipa_custodia.

Related: https://pagure.io/freeipa/issue/6891
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7d716a1392..e05d6b1538 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1032,11 +1032,13 @@ fi
 %selinux_relabel_pre -s %{selinuxtype}
 
 %post selinux
+semodule -d ipa_custodia &> /dev/null || true;
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 
 %postun selinux
 if [ $1 -eq 0 ]; then
     %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+    semodule -e ipa_custodia &> /dev/null || true;
 fi
 
 %posttrans selinux

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to