fix(installation): set selinux policy handling to the existing build/postInstall_storage_engine.sh and build/preUn_storage_engine.sh

2025-11-03 17:13:17 +03:00 · 2025-08-28 06:48:12 +00:00
parent 06889082f1
commit 3fea9bf825
5 changed files with 23 additions and 78 deletions
--- a/build/postInstall_storage_engine.sh
+++ b/build/postInstall_storage_engine.sh
@@ -8,3 +8,19 @@ fi
 mkdir -p /var/lib/columnstore/local
 columnstore-post-install --rpmmode=$rpmmode

+# Attempt to load ColumnStore SELinux policy (best-effort, no hard dependency)
+POLICY_PATH="/usr/share/columnstore/policy/selinux/columnstore.pp"
+if command -v getenforce >/dev/null 2>&1 && command -v semodule >/dev/null 2>&1; then
+  MODE=$(getenforce 2>/dev/null || echo Disabled)
+  case "$MODE" in
+    Enforcing|Permissive)
+      if [ -r "$POLICY_PATH" ]; then
+        semodule -i "$POLICY_PATH" || true
+      fi
+      ;;
+    *)
+      :
+      ;;
+  esac
+fi
+
--- a/build/preUn_storage_engine.sh
+++ b/build/preUn_storage_engine.sh
@@ -10,6 +10,13 @@ fi

 if [ $rpmmode = erase ]; then
 	columnstore-pre-uninstall
+
+	# Best-effort removal of ColumnStore SELinux policy on erase
+	if command -v semodule >/dev/null 2>&1; then
+	  if semodule -l 2>/dev/null | grep -q '^columnstore\b'; then
+	    semodule -r columnstore || true
+	  fi
+	fi
 fi

 exit 0
--- a/build/selinux_policy_rpm_post.sh
+++ b/build/selinux_policy_rpm_post.sh
@@ -1,28 +0,0 @@
-#!/bin/sh
-# Post-install script to load ColumnStore SELinux policy if SELinux is enabled
-# This script must not introduce new runtime dependencies; it only uses coreutils and typical SELinux tools if present.
-
-set -e
-
-POLICY_PATH="/usr/share/columnstore/policy/selinux/columnstore.pp"
-
-# If SELinux tooling is not present, or policy file missing, silently exit
-command -v getenforce >/dev/null 2>&1 || exit 0
-command -v semodule >/dev/null 2>&1 || exit 0
-
-# Only attempt to install when SELinux is enforcing or permissive
-MODE=$(getenforce 2>/dev/null || echo Disabled)
-case "$MODE" in
-  Enforcing|Permissive)
-    if [ -r "$POLICY_PATH" ]; then
-      # Install or upgrade the module; do not fail the entire package if this fails
-      semodule -i "$POLICY_PATH" || true
-    fi
-    ;;
-  *)
-    # Disabled or unknown, do nothing
-    :
-    ;;
-esac
-
-exit 0
--- a/build/selinux_policy_rpm_postun.sh
+++ b/build/selinux_policy_rpm_postun.sh
@@ -1,15 +0,0 @@
-#!/bin/sh
-# Post-uninstall script to remove ColumnStore SELinux policy module if present
-# No new runtime dependencies; use SELinux tools only if available.
-
-set -e
-
-# If SELinux tooling is not present, silently exit
-command -v semodule >/dev/null 2>&1 || exit 0
-
-# Remove the module if it is installed; do not fail package removal if this fails
-if semodule -l 2>/dev/null | grep -q '^columnstore\b'; then
-  semodule -r columnstore || true
-fi
-
-exit 0
--- a/cmake/selinux_policy.cmake
+++ b/cmake/selinux_policy.cmake
@@ -63,38 +63,3 @@ install(
    COMPONENT columnstore-engine
 )

-# Register RPM post-install and post-uninstall scripts for the component
-set(_selinux_post "${CMAKE_CURRENT_LIST_DIR}/../build/selinux_policy_rpm_post.sh")
-set(_selinux_postun "${CMAKE_CURRENT_LIST_DIR}/../build/selinux_policy_rpm_postun.sh")
-
-# POST_INSTALL: preserve existing script if set by wrapping it
-if(EXISTS "${_selinux_post}")
-    if(DEFINED CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE
-       AND CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE
-    )
-        set(_orig_post "${CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE}")
-        set(_wrap_post "${SELINUX_BUILD_DIR}/post_install_wrapper.sh")
-        file(WRITE "${_wrap_post}" "#!/bin/sh\n\n'${_orig_post}' \"$@\" || true\n'${_selinux_post}' \"$@\" || true\n")
-        execute_process(COMMAND ${CMAKE_COMMAND} -E chmod +x "${_wrap_post}")
-        set(CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE "${_wrap_post}")
-    else()
-        set(CPACK_RPM_columnstore-engine_POST_INSTALL_SCRIPT_FILE "${_selinux_post}")
-    endif()
-endif()
-
-# POST_UNINSTALL: preserve existing script if set by wrapping it
-if(EXISTS "${_selinux_postun}")
-    if(DEFINED CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE
-       AND CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE
-    )
-        set(_orig_postun "${CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE}")
-        set(_wrap_postun "${SELINUX_BUILD_DIR}/post_uninstall_wrapper.sh")
-        file(WRITE "${_wrap_postun}"
-             "#!/bin/sh\n\n'${_orig_postun}' \"$@\" || true\n'${_selinux_postun}' \"$@\" || true\n"
-        )
-        execute_process(COMMAND ${CMAKE_COMMAND} -E chmod +x "${_wrap_postun}")
-        set(CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE "${_wrap_postun}")
-    else()
-        set(CPACK_RPM_columnstore-engine_POST_UNINSTALL_SCRIPT_FILE "${_selinux_postun}")
-    endif()
-endif()