On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote:
> My F31 kickstart install is failing with:
>
> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing
:(
Just to be sure, are you building the kickstart with SELinux set to
permissive? It won't work if it's in Enforcing.
>
> This is because flapak-selinux installs a SELinux module in %post:
>
> %post selinux
> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
>
> which sources /etc/selinux/config. It is failing because
> /etc/selinux/config
> does not exist and /bin/sh exits with failure (/bin/bash does not
> interestingly enough).
>
> This was reported earlier here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1723118
For reference, here are some other BZs that I've ran into while trying
to come up with my own fixes to this issue:
* https://bugzilla.redhat.com/show_bug.cgi?id=1732132
* https://bugzilla.redhat.com/show_bug.cgi?id=1665643
>
> and the suggestion made to add:
>
> Requires(post): selinux-policy
>
> since selinux-policy owns /etc/selinux/config. However, selinux-
> policy
> creates /etc/selinux/config in its own %post, and Requires(post) only
> guarantees that the package's contents are installed, not that its
> scripts are
> complete.
>
> So, what's the best way to fix this? We need /etc/selinux/policy to
> be
> present and populated with SELINUXTYPE=targeted for the selinux
> policy modules
> to be installed properly.
>
> selinux-policy does:
>
> %post
> if [ ! -s /etc/selinux/config ]; then
> #
> # New install so we will default to targeted policy
> #
> echo "
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these three values:
> # targeted - Targeted processes are protected,
> # minimum - Modification of targeted policy. Only selected
> processes are
> protected.
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> " > /etc/selinux/config
>
> ln -sf ../selinux/config /etc/sysconfig/selinux
> restorecon /etc/selinux/config 2> /dev/null || :
> else
> . /etc/selinux/config
> fi
> exit 0
>
> But can't this be achieved simply with:
>
> %config(noreplace) %{_sysconfdir}/selinux/config
>
> New installs would get the default config, but otherwise you would
> get a
> .rpmnew file.
>
> However, I realize that nothing is particularly simple about SELinux
> so there
> are probably things I'm not aware of that prevent this.
>
> PS - the else code seems to be a no-op.
Back when I was trying to find my own fixes, I managed to fix one
portion of the %post selinux that was enough to solve my own problems,
but this issue you're seeing is one that I wasn't able to find a fix
for myself. I've love to see a resolution to this.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
