selinux-policy: Change SELinux policy module composition. (#10207)

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>

SPECS/selinux-policy/modules_targeted.conf

@@ -11,45 +11,3 @@ selinux = base
 storage = base
 terminal = base
 ubac = base
-
-bootloader = base
-kdump = base
-logrotate = base
-netutils = base
-rpm = base
-su = base
-sudo = base
-usermanage = base
-
-staff = base
-sysadm = base
-unprivuser = base
-
-cron = base
-chronyd = base
-dbus = base
-irqbalance = base
-ldap = base
-
-application = base
-authlogin = base
-clock = base
-fstools = base
-init = base
-iptables = base
-libraries = base
-locallogin = base
-logging = base
-lvm = base
-miscfiles = base
-modutils = base
-mount = base
-raid = base
-selinuxutil = base
-sysnetwork = base
-systemd = base
-udev = base
-unconfined = module
-userdomain = base
-# required by systemd:
-xdg = base

SPECS/selinux-policy/selinux-policy.signatures.json

@@ -3,7 +3,7 @@
   "Makefile.devel": "cd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6",
   "booleans_targeted.conf": "009f880c7179a007569dfdbf40ef64ae41671ad33cc2717eebbdaeb8ab431d12",
   "macros.selinux-policy": "027f5d27441a7262365c26076dc3b7ab1f1ac62026ae94514020e0607e53a73a",
-  "modules_targeted.conf": "b8fdff7cf2280bf71fa5841e9d3e5a8add4b30cdcbd21bc4fb2340d53b3bc23f",
+  "modules_targeted.conf": "161f7075f935afb15402084e5dc6b67da9a6b578631f0f77459b0461176da9e2",
   "refpolicy-2.20240226.tar.bz2": "7ed41f4f45189b9ee9706da8ac357eccc103651b56daabaddb54c436e8117cf9"
  }
 }

SPECS/selinux-policy/selinux-policy.spec

@@ -9,7 +9,7 @@
 Summary:        SELinux policy
 Name:           selinux-policy
 Version:        %{refpolicy_major}.%{refpolicy_minor}
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -130,7 +130,7 @@ enforced by the kernel when running with SELinux enabled.
 %{_sharedstatedir}/selinux/%{policy_name}/active/modules_checksum
 %exclude %{_sharedstatedir}/selinux/%{policy_name}/active/policy.kern
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{policy_name}/active/file_contexts.homedirs
-%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/base
+%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/*
 
 %package modules
 Summary:        SELinux policy modules
@@ -138,18 +138,17 @@ Requires:       selinux-policy = %{version}-%{release}
 Requires(pre):  selinux-policy = %{version}-%{release}
 
 %description modules
-Additional SELinux policy modules
+Additional SELinux policy modules -- deprecated: all policy modules are now
+in selinux-policy.  This package will be removed in Azure Linux 4.0.
 
 %files modules
-%{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/*
-%exclude %{_sharedstatedir}/selinux/%{policy_name}/active/modules/100/base
-%exclude %{_sharedstatedir}/selinux/%{policy_name}/active/modules/disabled
 
 %package devel
 Summary:        SELinux policy devel
 Requires:       %{_bindir}/make
 Requires:       checkpolicy >= %{CHECKPOLICYVER}
 Requires:       m4
+Requires:       selinux-policy = %{version}-%{release}
 Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
 
 %description devel
@@ -190,18 +189,12 @@ install -m0644 %{_sourcedir}/modules_%{1}.conf policy/modules.conf \
 %make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} conf \
 install -m0644 %{_sourcedir}/booleans_%{1}.conf policy/booleans.conf
 
-# After all the modules are inserted into the module store, the non-base
-# modules are disabled so the selinux-policy package only has the base module.
-# The selinux-policy-modules RPM then drops the disable flags using %exclude
-# in the %files section so the entire policy is enabled when the
-# selinux-policy-modules RPM is installed.
 %define installCmds() \
 %make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} base.pp \
 %make_build validate UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} modules \
 make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} install \
 make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} %{common_makeopts} install-appconfig \
 make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} UBAC=%{3} SEMODULE="semodule -p %{buildroot} -X 100 " load \
-semodule -p %{buildroot} -l | grep -v base | xargs semodule -p %{buildroot} -d \
 mkdir -p %{buildroot}/%{_sysconfdir}/selinux/%{1}/logins \
 touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.subs \
 install -m0644 config/appconfig-%{2}/securetty_types %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/securetty_types \
@@ -314,11 +307,6 @@ fi
 %postInstall $1 %{policy_name}
 exit 0
 
-%post modules
-%{_sbindir}/semodule -B -n -s %{policy_name}
-[ "${SELINUXTYPE}" == "%{policy_name}" ] && selinuxenabled && load_policy
-exit 0
-
 %postun
 if [ $1 = 0 ]; then
      setenforce 0 2> /dev/null
@@ -337,6 +325,11 @@ exit 0
 selinuxenabled && semodule -nB
 exit 0
 %changelog
+* Mon Aug 13 2024 Chris PeBenito <chpebeni@microsoft.com> - 2.20240226-7
+- Change policy composition so the base module only consits of policy modules
+  that must be in the base.  This will allow dowstream users to disable or
+  override the individual policy modules.
+
 * Thu Jul 18 2024 Chris PeBenito <chpebeni@microsoft.com> - 2.20240226-6
 - Drop rules that are specific to AzureLinux testing systems.
 - Add fix for systemd-machine-id-setup CAP_DAC_OVERRIDE use.

toolkit/imageconfigs/packagelists/selinux-full.json

@@ -1,7 +1,6 @@
 {
     "packages": [
         "selinux-policy",
-        "selinux-policy-modules",
         "selinux-policy-devel",
         "policycoreutils-python-utils",
         "checkpolicy",

toolkit/imageconfigs/packagelists/selinux.json

@@ -1,6 +1,5 @@
 {
     "packages": [
-        "selinux-policy",
-        "selinux-policy-modules"
+        "selinux-policy"
     ]
 }