Overview

File selinux-policy-sapenablement.spec of Package selinux-policy-sapenablement

#
# spec file for package selinux-policy-gaming
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

%global selinuxtype targeted

Name:           selinux-policy-sapenablement
Version:        1
Release:        0
Summary:        SELinux policy changes for SAP
License:        MIT
# FIXME have a public ressource
URL:            https://confluence.suse.com/display/~hsehic/SELinux+on+SLE16.0
Source1:        README.md
BuildArch:      noarch
BuildRequires:  selinux-policy
BuildRequires:  selinux-policy-%{selinuxtype}
# we need selinuxenabled
Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
Requires:       selinux-tools
Requires:       selinux-policy
Requires:       selinux-policy-%{selinuxtype}
Requires:       policycoreutils-python-utils

%description
SELinux policy changes for running SAP. Currently it sets the settings that are
needed, but still sets SELinux to permissive. Users can set it to enforcing
again to use the base policy module SUSE provides

%prep

%build
cp -a %{SOURCE1} .

%install

%check

%files
%doc README.md

%post
# first install
if [ $1 -eq 1 ]; then
    %selinux_set_booleans -s %{selinuxtype} selinuxuser_execmod=1 unconfined_service_transition_to_unconfined_user=1 cluster_service_transition_to_unconfined_user=1

    if semanage boolean -l | grep sap_service_transition_to_unconfined_user > /dev/null; then
        # this boolean was introduded later and might not exist
        %selinux_set_booleans -s %{selinuxtype} sap_service_transition_to_unconfined_user=1
    fi

    semanage permissive -a snapper_grub_plugin_t

    selinuxenabled && setenforce 0

    sed -i -e 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
fi

%postun
if [ $1 -eq 0 ]; then
    %selinux_unset_booleans -s %{selinuxtype} selinuxuser_execmod=1 unconfined_service_transition_to_unconfined_user=1 cluster_service_transition_to_unconfined_user=1 

    if semanage boolean -l | grep sap_service_transition_to_unconfined_user > /dev/null; then
        # this boolean was introduded later and might not exist
        %selinux_unset_booleans -s %{selinuxtype} sap_service_transition_to_unconfined_user=1 
    fi

    semanage permissive -d snapper_grub_plugin_t

    # There's a certain risk here that the system wasn't in enforcing before.
    # But since this is only intended for SAP workloads and this shouldn't
    # really happend that this gets uninstalled lets do it like this for now
    sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
    # ensure the system get's relabelled. Don't set the system to enforcing
    # again right away, since files might have been inproperly labelled while
    # running in permissive mode
    touch /etc/selinux/.autorelabel
fi

%changelog
openSUSE Build Service is sponsored by
Places