From 9f0e0b350e3d885e6eb8ba04b32aeaebb3946511 Mon Sep 17 00:00:00 2001
From: Micah Abbott <miabbott@redhat.com>
Date: Tue, 13 Jun 2017 11:58:22 -0400
Subject: [PATCH] selinux_verify: stop checking backup files

New composes done with `rpm-ostree` will have the backups of the
`passwd` removed, per projectatomic/rpm-ostree#693.  This will cause
the `selinux_verify` role to fail.

Since we are already checking the primary file, consensus says that
it is safe to remove the checks on that particular backup, as well
as the other backups of `group`, `shadow`, and `gshadow`.
---
 roles/selinux_verify/vars/common.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/roles/selinux_verify/vars/common.yml b/roles/selinux_verify/vars/common.yml
index 92f88dc..cb8876a 100644
--- a/roles/selinux_verify/vars/common.yml
+++ b/roles/selinux_verify/vars/common.yml
@@ -11,13 +11,9 @@ common_files:
   - { key: '/etc/hosts.allow', value: 'system_u:object_r:net_conf_t:s0' }
   - { key: '/etc/hosts.deny', value: 'system_u:object_r:net_conf_t:s0' }
   - { key: '/etc/group', value: 'system_u:object_r:passwd_file_t:s0' }
-  - { key: '/etc/group-', value: 'system_u:object_r:passwd_file_t:s0' }
   - { key: '/etc/passwd', value: 'system_u:object_r:passwd_file_t:s0' }
-  - { key: '/etc/passwd-', value: 'system_u:object_r:passwd_file_t:s0' }
   - { key: '/etc/gshadow', value: 'system_u:object_r:shadow_t:s0' }
-  - { key: '/etc/gshadow-', value: 'system_u:object_r:shadow_t:s0' }
   - { key: '/etc/shadow', value: 'system_u:object_r:shadow_t:s0' }
-  - { key: '/etc/shadow-', value: 'system_u:object_r:shadow_t:s0' }
   - { key: '/usr/sbin/NetworkManager', value: 'system_u:object_r:NetworkManager_exec_t:s0' }
   - { key: '/usr/bin/ostree', value: 'system_u:object_r:install_exec_t:s0' }
   - { key: '/usr/bin/rpm-ostree', value: 'system_u:object_r:install_exec_t:s0' }