Do not load unconfined SELinux policy module when strict policy is set

2 files changed, 10 insertions, 2 deletions

diff --git a/eclass/ChangeLog b/eclass/ChangeLog
index 1a0705d2e6a7..d2d3973a6098 100644
--- a/eclass/ChangeLog
+++ b/eclass/ChangeLog
@@ -1,6 +1,9 @@
 # ChangeLog for eclass directory
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/ChangeLog,v 1.719 2013/03/08 10:26:42 hanno Exp $
+# $Header: /var/cvsroot/gentoo-x86/eclass/ChangeLog,v 1.720 2013/03/09 12:07:50 swift Exp $
+
+  09 Mar 2013; Sven Vermeulen <swift@gentoo.org> selinux-policy-2.eclass:
+  Do not load unconfined module with strict policy
 
   08 Mar 2013; Hanno Boeck <hanno@gentoo.org> apache-2.eclass:
   Remove re-setting of permissions every time apache gets reinstalled. See bug
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 8ddcb14935a4..e83a26a3e098 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.16 2013/01/26 15:01:52 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.17 2013/03/09 12:07:50 swift Exp $
 
 # Eclass for installing SELinux policy, and optionally
 # reloading the reference-policy based modules.
@@ -241,6 +241,11 @@ selinux-policy-2_pkg_postinst() {
 	done
 
 	for i in ${POLICY_TYPES}; do
+		if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
+		then
+			einfo "Ignoring loading of unconfined module in strict module store.";
+			continue;
+		fi
 		einfo "Inserting the following modules into the $i module store: ${MODS}"
 
 		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"