sys-apps/policycoreutils: update the right ROOT store

The policycoreutils ebuild calls 'semodule' in postinst to update
SELinux stores. It does not, however, tells semodule the correct ROOT
to use, so installing policycoreutils in a crossdev environment will
actually update the *host's* store.

This patch adds '-S "${ROOT:-/}"' to the 'semodule' call so the correct
environment is updated.

First seen + fixed in Flatcar Container Linux:
https://github.com/flatcar-linux/coreos-overlay/pull/1502

Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Closes: https://github.com/gentoo/gentoo/pull/23332
Signed-off-by: Sam James <sam@gentoo.org>

4 files changed, 8 insertions, 8 deletions

diff --git a/sys-apps/policycoreutils/policycoreutils-3.1-r2.ebuild b/sys-apps/policycoreutils/policycoreutils-3.1-r2.ebuild
index 62b8f3856614..e995a286771b 100644
--- a/sys-apps/policycoreutils/policycoreutils-3.1-r2.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-3.1-r2.ebuild
@@ -162,7 +162,7 @@ pkg_postinst() {
 	for POLICY_TYPE in ${POLICY_TYPES} ; do
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }
diff --git a/sys-apps/policycoreutils/policycoreutils-3.2.ebuild b/sys-apps/policycoreutils/policycoreutils-3.2.ebuild
index 7299c44a1ddd..1c90708b2731 100644
--- a/sys-apps/policycoreutils/policycoreutils-3.2.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-3.2.ebuild
@@ -156,7 +156,7 @@ pkg_postinst() {
 	for POLICY_TYPE in ${POLICY_TYPES} ; do
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }
diff --git a/sys-apps/policycoreutils/policycoreutils-3.3.ebuild b/sys-apps/policycoreutils/policycoreutils-3.3.ebuild
index c8fe18af66f9..6b00366fe883 100644
--- a/sys-apps/policycoreutils/policycoreutils-3.3.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-3.3.ebuild
@@ -156,7 +156,7 @@ pkg_postinst() {
 	for POLICY_TYPE in ${POLICY_TYPES} ; do
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }
diff --git a/sys-apps/policycoreutils/policycoreutils-9999.ebuild b/sys-apps/policycoreutils/policycoreutils-9999.ebuild
index c8fe18af66f9..6b00366fe883 100644
--- a/sys-apps/policycoreutils/policycoreutils-9999.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-9999.ebuild
@@ -156,7 +156,7 @@ pkg_postinst() {
 	for POLICY_TYPE in ${POLICY_TYPES} ; do
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }