# github repo with selinux-policy sources
%global giturl https://github.com/fedora-selinux/selinux-policy
%global commit 061ed78f650a71a7f47e9a9dcc20e0880e108346
%global shortcommit %(c=%{commit}; echo ${c:0:7})
%global common_params DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=n MLS_CATS=1024 MCS_CATS=1024
%global debug_package %{nil}

Name:           selinux-policy-epel
Version:        40.13.26
Release:        1%{?dist}
Summary:        SELinux policy for EPEL packages

License:        GPL-2.0-or-later
URL:            https://github.com/fedora-selinux/selinux-policy
Source0:        %{giturl}/archive/%{commit}/selinux-policy-%{shortcommit}.tar.gz
# Git repo: https://github.com/containers/container-selinux.git
Source1:        container-selinux.tgz
# ship only these modules
Source2:        modules-filtered.lst
Source3:        process-modules-filtered.py
BuildArch:      noarch
BuildRequires:  selinux-policy-devel

%description

%package targeted
Summary:        SELinux targeted policy for EPEL packages
Requires:       selinux-policy-targeted

%description targeted

%package mls
Summary:        SELinux mls policy for EPEL packages
Requires:       selinux-policy-mls

%description mls

%package devel
Summary:        SELinux targeted policy for EPEL packages - header files
Requires:       selinux-policy-devel

%description devel

%prep
%autosetup -p 1 -n selinux-policy-%{commit}
tar -C policy/modules/contrib -xf %{SOURCE1}

cd ..
mv selinux-policy-%{commit} targeted
cp -r targeted mls

mkdir selinux-policy-%{commit}
mv targeted mls selinux-policy-%{commit}

%build

%define makeConf() \
    %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
    %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
    install -p -m0644 ./%1/dist/%1/booleans.conf ./%1/policy/booleans.conf \
    install -p -m0644 ./%1/dist/%1/users ./%1/policy/users \
    # install -p -m0644 ./%1/dist/%1/modules.conf ./%1/policy/modules.conf \
    %{SOURCE3} %{SOURCE2} ./%1/dist/%1/modules.conf enabled > ./%1/policy/modules.conf \

%define makeModules() \
    %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
    %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 modules \

%makeConf targeted mcs allow
%makeConf mls mls deny

%makeModules targeted mcs allow
%makeModules mls mls deny

%install

%define makeInstall() \
    %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \

# Always create policy module package directories
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/devel/include

%makeInstall targeted mcs allow
%makeInstall mls mls deny

sed -n '/^[^#]/ s#\(.*\)#%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/targeted/active/modules/200/\1#p' %{SOURCE2} > %{_builddir}/targeted-epelmodules.lst
sed -n '/^[^#]/ s#\(.*\)#%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/mls/active/modules/200/\1#p' %{SOURCE2} > %{_builddir}/mls-epelmodules.lst
sed -n '/^[^#]/p' %{SOURCE2} > %{buildroot}%{_datadir}/selinux/targeted/epel-modules.lst
sed -n '/^[^#]/p' %{SOURCE2} > %{buildroot}%{_datadir}/selinux/mls/epel-modules.lst

%make_build -C targeted %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} install-headers
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include

rm -rf  %{buildroot}%{_sysconfdir}/selinux/

%pre targeted
%selinux_relabel_pre -s targeted

%post targeted
sed 's#^\(.*\)$#%{_datadir}/selinux/targeted/\1.pp#' %{_datadir}/selinux/targeted/epel-modules.lst | xargs semodule -n -s targeted -X 200 -i || :
selinuxenabled && load_policy || :

%posttrans targeted
%selinux_relabel_post -s targeted

%preun targeted

if [ $1 -eq 0 ]; then
    xargs semodule -n -s targeted -X 200 -r < %{_datadir}/selinux/targeted/epel-modules.lst || :
    selinuxenabled && load_policy || :
    %selinux_relabel_post -s targeted
fi

%pre mls
%selinux_relabel_pre -s mls

%post mls
sed 's#^\(.*\)$#%{_datadir}/selinux/mls/\1.pp#' %{_datadir}/selinux/mls/epel-modules.lst | xargs semodule -n -s mls -X 200 -i || :
selinuxenabled && load_policy || :

%posttrans mls
%selinux_relabel_post -s mls

%preun mls

if [ $1 -eq 0 ]; then
    xargs semodule -n -s mls -X 200 -r < %{_datadir}/selinux/mls/epel-modules.lst || :
    selinuxenabled && load_policy || :
    %selinux_relabel_post -s mls
fi


%files
%license targeted/COPYING

%files targeted -f %{_builddir}/targeted-epelmodules.lst
%ghost %dir %{_sharedstatedir}/selinux/active/active/200
%{_datadir}/selinux/targeted/epel-modules.lst
%{_datadir}/selinux/targeted/*.pp

%files mls -f %{_builddir}/mls-epelmodules.lst
%ghost %dir %{_sharedstatedir}/selinux/mls/active/200
%{_datadir}/selinux/mls/epel-modules.lst
%{_datadir}/selinux/mls/*.pp

%files devel
%dir %{_datadir}/selinux/devel/include
%{_datadir}/selinux/devel/include/*


%changelog
* Wed Feb 19 2025 Petr Lautrbach <lautrbach@redhat.com> - 40.13.26-1
- Initial import from selinux-policy