diff --git a/build/postInstall_storage_engine.sh b/build/postInstall_storage_engine.sh index dc5d0e96d..a98db2f9a 100644 --- a/build/postInstall_storage_engine.sh +++ b/build/postInstall_storage_engine.sh @@ -8,3 +8,19 @@ fi mkdir -p /var/lib/columnstore/local columnstore-post-install --rpmmode=$rpmmode +# Attempt to load ColumnStore SELinux policy (best-effort, no hard dependency) +POLICY_PATH="/usr/share/columnstore/policy/selinux/columnstore.pp" +if command -v getenforce >/dev/null 2>&1 && command -v semodule >/dev/null 2>&1; then + MODE=$(getenforce 2>/dev/null || echo Disabled) + case "$MODE" in + Enforcing|Permissive) + if [ -r "$POLICY_PATH" ]; then + semodule -i "$POLICY_PATH" || true + fi + ;; + *) + : + ;; + esac +fi + diff --git a/build/preUn_storage_engine.sh b/build/preUn_storage_engine.sh index b0e6fd721..75ffaea19 100644 --- a/build/preUn_storage_engine.sh +++ b/build/preUn_storage_engine.sh @@ -10,6 +10,13 @@ fi if [ $rpmmode = erase ]; then columnstore-pre-uninstall + + # Best-effort removal of ColumnStore SELinux policy on erase + if command -v semodule >/dev/null 2>&1; then + if semodule -l 2>/dev/null | grep -q '^columnstore\b'; then + semodule -r columnstore || true + fi + fi fi exit 0 diff --git a/build/selinux_policy_rpm_post.sh b/build/selinux_policy_rpm_post.sh deleted file mode 100644 index 0e77e2465..000000000 --- a/build/selinux_policy_rpm_post.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -# Post-install script to load ColumnStore SELinux policy if SELinux is enabled -# This script must not introduce new runtime dependencies; it only uses coreutils and typical SELinux tools if present. - -set -e - -POLICY_PATH="/usr/share/columnstore/policy/selinux/columnstore.pp" - -# If SELinux tooling is not present, or policy file missing, silently exit -command -v getenforce >/dev/null 2>&1 || exit 0 -command -v semodule >/dev/null 2>&1 || exit 0 - -# Only attempt to install when SELinux is enforcing or permissive -MODE=$(getenforce 2>/dev/null || echo Disabled) -case "$MODE" in - Enforcing|Permissive) - if [ -r "$POLICY_PATH" ]; then - # Install or upgrade the module; do not fail the entire package if this fails - semodule -i "$POLICY_PATH" || true - fi - ;; - *) - # Disabled or unknown, do nothing - : - ;; -esac - -exit 0 diff --git a/build/selinux_policy_rpm_postun.sh b/build/selinux_policy_rpm_postun.sh deleted file mode 100644 index 10b8df5a0..000000000 --- a/build/selinux_policy_rpm_postun.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# Post-uninstall script to remove ColumnStore SELinux policy module if present -# No new runtime dependencies; use SELinux tools only if available. - -set -e - -# If SELinux tooling is not present, silently exit -command -v semodule >/dev/null 2>&1 || exit 0 - -# Remove the module if it is installed; do not fail package removal if this fails -if semodule -l 2>/dev/null | grep -q '^columnstore\b'; then - semodule -r columnstore || true -fi - -exit 0 diff --git a/cmake/selinux_policy.cmake b/cmake/selinux_policy.cmake index 7382660da..5818121a9 100644 --- a/cmake/selinux_policy.cmake +++ b/cmake/selinux_policy.cmake @@ -63,38 +63,3 @@ install( COMPONENT columnstore-engine ) -# Register RPM post-install and post-uninstall scripts for the component -set(_selinux_post "${CMAKE_CURRENT_LIST_DIR}/../build/selinux_policy_rpm_post.sh") -set(_selinux_postun "${CMAKE_CURRENT_LIST_DIR}/../build/selinux_policy_rpm_postun.sh") - -# POST_INSTALL: preserve existing script if set by wrapping it -if(EXISTS "${_selinux_post}") - if(DEFINED CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE - AND CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE - ) - set(_orig_post "${CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE}") - set(_wrap_post "${SELINUX_BUILD_DIR}/post_install_wrapper.sh") - file(WRITE "${_wrap_post}" "#!/bin/sh\n\n'${_orig_post}' \"$@\" || true\n'${_selinux_post}' \"$@\" || true\n") - execute_process(COMMAND ${CMAKE_COMMAND} -E chmod +x "${_wrap_post}") - set(CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE "${_wrap_post}") - else() - set(CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE "${_selinux_post}") - endif() -endif() - -# POST_UNINSTALL: preserve existing script if set by wrapping it -if(EXISTS "${_selinux_postun}") - if(DEFINED CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE - AND CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE - ) - set(_orig_postun "${CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE}") - set(_wrap_postun "${SELINUX_BUILD_DIR}/post_uninstall_wrapper.sh") - file(WRITE "${_wrap_postun}" - "#!/bin/sh\n\n'${_orig_postun}' \"$@\" || true\n'${_selinux_postun}' \"$@\" || true\n" - ) - execute_process(COMMAND ${CMAKE_COMMAND} -E chmod +x "${_wrap_postun}") - set(CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE "${_wrap_postun}") - else() - set(CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE "${_selinux_postun}") - endif() -endif()