From cdf4543ac4d445ad629a61ba9d16c9bbb9992117 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Apr 20 2017 07:38:18 +0000
Subject: Add safeguard around "semodule -n -d sandbox"


Each time this package is updated, it remove the sandbox module, thus
making the sandbox command not working until someone reenable it.

The main cause is likely the non intuitive ordering of RPM post install
script, as %preun is run after %post. See the details on
https://fedoraproject.org/wiki/Packaging:Scriptlets

---

diff --git a/selinux-policy.spec b/selinux-policy.spec
index cee895b..83c0f45 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 191.24%{?dist}
+Release: 191.25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -112,10 +112,13 @@ fi;
 exit 0
 
 %preun sandbox
-semodule -n -d sandbox 2>/dev/null
-if /usr/sbin/selinuxenabled ; then
-    /usr/sbin/load_policy
-fi;exit 0
+if [ $1 -eq 0 ] ; then
+    semodule -n -d sandbox 2>/dev/null
+    if /usr/sbin/selinuxenabled ; then
+        /usr/sbin/load_policy
+    fi;
+fi;
+exit 0
 
 %package devel
 Summary: SELinux policy devel
@@ -672,6 +675,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 20 2017 Michael Scherer <misc@fedoraproject.org> - 3.13.1-191.25
+- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade
+
 * Sun Jan 08 2017 Lukas Vrabec  <lvrabec@redhat.com> 3.13.1-191.24
 - Allow thumb domain sendto via dgram sockets. BZ(1398813)
 - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)