Trouble with install ordering and SELinux config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My F31 kickstart install is failing with:

DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux

This is because flapak-selinux installs a SELinux module in %post:

%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2

which sources /etc/selinux/config.  It is failing because /etc/selinux/config
does not exist and /bin/sh exits with failure (/bin/bash does not
interestingly enough).

This was reported earlier here:

https://bugzilla.redhat.com/show_bug.cgi?id=1723118

and the suggestion made to add:

Requires(post): selinux-policy

since selinux-policy owns /etc/selinux/config.  However, selinux-policy
creates /etc/selinux/config in its own %post, and Requires(post) only
guarantees that the package's contents are installed, not that its scripts are
complete.

So, what's the best way to fix this?  We need /etc/selinux/policy to be
present and populated with SELINUXTYPE=targeted for the selinux policy modules
to be installed properly.

selinux-policy does:

%post
if [ ! -s /etc/selinux/config ]; then
#
#     New install so we will default to targeted policy
#
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are
protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

" > /etc/selinux/config

     ln -sf ../selinux/config /etc/sysconfig/selinux
     restorecon /etc/selinux/config 2> /dev/null || :
else
     . /etc/selinux/config
fi
exit 0

But can't this be achieved simply with:

%config(noreplace) %{_sysconfdir}/selinux/config

New installs would get the default config, but otherwise you would get a
.rpmnew file.

However, I realize that nothing is particularly simple about SELinux so there
are probably things I'm not aware of that prevent this.

PS - the else code seems to be a no-op.


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/

<<attachment: smime.p7s>>

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux