Re: Trouble with install ordering and SELinux config

Orion Poplawski <orion@xxxxxxxx> · Fri, 1 Nov 2019 20:20:21 -0600

On 11/1/19 1:47 PM, Daniel Walsh wrote:
Flat pack should be doing a requires(post): selinux-policy-base

To make sure it is installed before flatpack.

Thanks.  The proper incantation actually though seems to be:

%{?selinux_requires}

which contains that.  See:

https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble

This works because the selinux-policy-base providing packages have a:

Requires(pre): selinux-policy

which pushes that earlier.  I'm still not entirely convinced that that 
creates a contract that selinux-policy's %post script will be run before 
the flatpak-selinux's %post script, but hopefully in practice it won't 
matter.

I've created https://src.fedoraproject.org/rpms/flatpak/pull-request/5

On 11/1/19 2:51 PM, Tim Zabel wrote:
On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote:
My F31 kickstart install is failing with:

DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing
:(

Just to be sure, are you building the kickstart with SELinux set to
permissive? It won't work if it's in Enforcing.

This is because flapak-selinux installs a SELinux module in %post:

%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2

which sources /etc/selinux/config.  It is failing because
/etc/selinux/config
does not exist and /bin/sh exits with failure (/bin/bash does not
interestingly enough).

This was reported earlier here:

https://bugzilla.redhat.com/show_bug.cgi?id=1723118
For reference, here are some other BZs that I've ran into while trying
to come up with my own fixes to this issue:

*https://bugzilla.redhat.com/show_bug.cgi?id=1732132

*https://bugzilla.redhat.com/show_bug.cgi?id=1665643

and the suggestion made to add:

Requires(post): selinux-policy

since selinux-policy owns /etc/selinux/config.  However, selinux-
policy
creates /etc/selinux/config in its own %post, and Requires(post) only
guarantees that the package's contents are installed, not that its
scripts are
complete.

So, what's the best way to fix this?  We need /etc/selinux/policy to
be
present and populated with SELINUXTYPE=targeted for the selinux
policy modules
to be installed properly.

selinux-policy does:

%post
if [ ! -s /etc/selinux/config ]; then
#
#     New install so we will default to targeted policy
#
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected
processes are
protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

" > /etc/selinux/config

      ln -sf ../selinux/config /etc/sysconfig/selinux
      restorecon /etc/selinux/config 2> /dev/null || :
else
      . /etc/selinux/config
fi
exit 0

But can't this be achieved simply with:

%config(noreplace) %{_sysconfdir}/selinux/config

New installs would get the default config, but otherwise you would
get a
.rpmnew file.

However, I realize that nothing is particularly simple about SELinux
so there
are probably things I'm not aware of that prevent this.

PS - the else code seems to be a no-op.
Back when I was trying to find my own fixes, I managed to fix one
portion of the %post selinux that was enough to solve my own problems,
but this issue you're seeing is one that I wasn't able to find a fix
for myself. I've love to see a resolution to this.

_______________________________________________
devel mailing list --devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email todevel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

--
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/

<<attachment: smime.p7s>>
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx