Overview

File selinux-policy-sapenablement.spec of Package selinux-policy-sapenablement

#
# spec file for package selinux-policy-gaming
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

%global selinuxtype targeted

Name:           selinux-policy-sapenablement
Version:        1
Release:        0
Summary:        SELinux policy changes for SAP
License:        MIT
# FIXME have a public ressource
URL:            https://confluence.suse.com/display/~hsehic/SELinux+on+SLE16.0
Source1:        README.md
BuildArch:      noarch
BuildRequires:  selinux-policy
BuildRequires:  selinux-policy-%{selinuxtype}
Requires:       selinux-tools
Requires:       selinux-policy
Requires:       selinux-policy-%{selinuxtype}
Requires:       policycoreutils-python-utils

%description
SELinux policy changes for running SAP. Currently it sets the settings that are
needed, but still disables SELinux. Users can enable it again to use the base
policy module SUSE provides

%prep

%build
cp -a %{SOURCE1} .

%install

%check

%files
%doc README.md

%post
# first install
if [ $1 -eq 1 ]; then
    %{_sbindir}/update-bootloader --del-option "selinux" || :
    %{_sbindir}/update-bootloader --add-option "selinux=0" || :
    %{_sbindir}/update-bootloader --config || :

    %selinux_set_booleans -s %{selinuxtype} selinuxuser_execmod=1 unconfined_service_transition_to_unconfined_user=1 cluster_service_transition_to_unconfined_user=1

    semanage permissive -a snapper_grub_plugin_t
fi

%postun
if [ $1 -eq 0 ]; then
    %{_sbindir}/update-bootloader --del-option "selinux=0" || :
    %{_sbindir}/update-bootloader --config || :

    # ensure the system get's relabelled
    touch /etc/selinux/.autorelabel

    %selinux_unset_booleans -s %{selinuxtype} selinuxuser_execmod=1 unconfined_service_transition_to_unconfined_user=1 cluster_service_transition_to_unconfined_user=1

    semanage permissive -d snapper_grub_plugin_t
fi

%changelog
openSUSE Build Service is sponsored by
Places