From 1099970ab3e72a517bacf284415380ce9fa17d8b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 22 Sep 2022 17:31:24 +0200
Subject: [PATCH] Install policy modules with priority 200

https://fedoraproject.org/wiki/SELinux/IndependentPolicy#SELinux_Policy_module_priorities

Also, fix binary policy module path.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 Makefile                  | 6 +++---
 common/selinux-disable.sh | 2 +-
 common/selinux-enable.sh  | 8 +++++---
 foreman-selinux-disable   | 2 +-
 foreman-selinux-enable    | 5 ++++-
 5 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index 3deba84..c34491b 100644
--- a/Makefile
+++ b/Makefile
@@ -87,8 +87,8 @@ install: install-policies \
 	install-data
 
 install-policies: policies consolidate-installation
-	install -d ${INSTPREFIX}/usr/share/selinux/${VARIANT}
-	install -p -m 644 *.pp.bz2 ${INSTPREFIX}/usr/share/selinux/${VARIANT}/
+	install -d ${INSTPREFIX}/usr/share/selinux/packages/${VARIANT}
+	install -p -m 644 *.pp.bz2 ${INSTPREFIX}/usr/share/selinux/packages/${VARIANT}/
 
 install-data: man-pages scripts install-interfaces install-scripts install-manpages
 
@@ -105,7 +105,7 @@ install-manpages:
 	install -m 0644 *.8 ${INSTPREFIX}/usr/share/man/man8/
 
 consolidate-installation:
-	hardlink -c ${INSTPREFIX}/usr/share/selinux/${VARIANT}/
+	hardlink -c ${INSTPREFIX}/usr/share/selinux/packages/${VARIANT}/
 
 remote-load:
 ifdef HOST
diff --git a/common/selinux-disable.sh b/common/selinux-disable.sh
index ad7888d..e3d8d2e 100644
--- a/common/selinux-disable.sh
+++ b/common/selinux-disable.sh
@@ -8,7 +8,7 @@ for selinuxvariant in targeted
 do
   if /usr/sbin/semodule -s \$selinuxvariant -l >/dev/null; then
     # Unload policy
-    /usr/sbin/semodule -s \$selinuxvariant -r $MODULE
+    /usr/sbin/semodule -X 200 -s \$selinuxvariant -r $MODULE
   fi
 done
 EOF
diff --git a/common/selinux-enable.sh b/common/selinux-enable.sh
index 4e2cbc4..85c6ecf 100644
--- a/common/selinux-enable.sh
+++ b/common/selinux-enable.sh
@@ -7,9 +7,11 @@ set +e
 for selinuxvariant in targeted
 do
   if /usr/sbin/semodule -s \$selinuxvariant -l >/dev/null; then
-    # Load policy
-    /usr/sbin/semanage module -S \$selinuxvariant \
-      -a /usr/share/selinux/\${selinuxvariant}/${MODULE}.pp.bz2
+    # Remove old policy module on priority 400 if it exists
+    /usr/sbin/semodule -s \$selinuxvariant -r ${MODULE}
+    # Load new policy module
+    /usr/sbin/semodule -X 200 -s \$selinuxvariant \
+      -i /usr/share/selinux/packages/\${selinuxvariant}/${MODULE}.pp.bz2
   fi
 done
 EOF
diff --git a/foreman-selinux-disable b/foreman-selinux-disable
index 119d8f6..cb25f7c 100644
--- a/foreman-selinux-disable
+++ b/foreman-selinux-disable
@@ -25,7 +25,7 @@ do
       tee -a $LOG | \
       /usr/sbin/semanage -S $selinuxvariant -i -
     # Unload policy
-    /usr/sbin/semodule -s $selinuxvariant -r foreman
+    /usr/sbin/semodule -X 200 -s $selinuxvariant -r foreman
   fi
 done
 
diff --git a/foreman-selinux-enable b/foreman-selinux-enable
index 7f73a89..375d21b 100644
--- a/foreman-selinux-enable
+++ b/foreman-selinux-enable
@@ -32,8 +32,11 @@ do
     # Commit changes of deleting the ports
     test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE
 
+    # Remove old module on priority 400 if it exists
+    /usr/sbin/semodule -s $selinuxvariant -r foreman &>/dev/null || :
+
     # Load new policy
-    /usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
+    /usr/sbin/semodule -X 200 -s $selinuxvariant -i /usr/share/selinux/packages/${selinuxvariant}/foreman.pp.bz2
 
     # Create port list cache
     /usr/sbin/semanage port -E > $TMP_PORTS