From f464b86e196886c687fd5e9e1cea835e5c8d86ba Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 6 Jun 2024 21:37:38 +0200
Subject: [PATCH] Move unconfined_domain(sap_unconfined_t) to an optional block

This policy statement needs to be in an optional block for cases
when the unconfined module is disabled or removed.

Resolves: RHEL-37663
---
 policy/modules/contrib/sap.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/sap.te b/policy/modules/contrib/sap.te
index 1f3eb9c8e4..8c400da86c 100644
--- a/policy/modules/contrib/sap.te
+++ b/policy/modules/contrib/sap.te
@@ -4,10 +4,13 @@ type sap_unconfined_t;
 type sap_exec_t;
 files_type(sap_exec_t);
 init_daemon_domain(sap_unconfined_t, sap_exec_t)
-unconfined_domain(sap_unconfined_t)
 
 #type sap_tmp_t;
 #files_tmp_file(sap_tmp_t);
 #manage_dirs_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t)
 #manage_files_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t)
 #files_tmp_filetrans(sap_unconfined_t, sap_tmp_t, { dir file })
+
+optional_policy(`
+	unconfined_domain(sap_unconfined_t)
+')