Re: Trouble with install ordering and SELinux config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/3/19 9:38 AM, Dridi Boukelmoune wrote:
> On Sat, Nov 2, 2019 at 2:21 AM Orion Poplawski <orion@xxxxxxxx> wrote:
>>
>> On 11/1/19 1:47 PM, Daniel Walsh wrote:
>>> Flat pack should be doing a requires(post): selinux-policy-base
>>>
>>> To make sure it is installed before flatpack.
>>
>> Thanks.  The proper incantation actually though seems to be:
>>
>> %{?selinux_requires}
>>
>> which contains that.  See:
>>
>> https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble
> 
> I have used this successfully for EPEL 7 work at $DAYJOB and woud have
> pointed this out earlier if I hadn't fallen off the devel list for the
> past few weeks.
> 
> Revisiting this on Fedora 31 I still see this:
> 
>     $ rpm --eval %selinux_requires | grep git
>     BuildRequires: git
> 
> And I can't help but wonder whether we really need git at build time
> as this slows down the build root creation step.
> 
> Any idea from SELinux folks?
> 

Hi,

It looks like some leftover from the past. I don't really see why it
should be there.

This commit removes that:

https://github.com/fedora-selinux/selinux-policy-macros/commit/5f366657da0c7c67f2448be03620581437c2dfbb

Fixing it also in Rawhide and F31.

Thanks,
Lukas.

> Thanks,
> Dridi
> 
>> This works because the selinux-policy-base providing packages have a:
>>
>> Requires(pre): selinux-policy
>>
>> which pushes that earlier.  I'm still not entirely convinced that that
>> creates a contract that selinux-policy's %post script will be run before
>> the flatpak-selinux's %post script, but hopefully in practice it won't
>> matter.
>>
>> I've created https://src.fedoraproject.org/rpms/flatpak/pull-request/5
>>
>>> On 11/1/19 2:51 PM, Tim Zabel wrote:
>>>> On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote:
>>>>> My F31 kickstart install is failing with:
>>>>>
>>>>> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
>>>> Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing
>>>> :(
>>>>
>>>> Just to be sure, are you building the kickstart with SELinux set to
>>>> permissive? It won't work if it's in Enforcing.
>>>>
>>>>> This is because flapak-selinux installs a SELinux module in %post:
>>>>>
>>>>> %post selinux
>>>>> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
>>>>>
>>>>> which sources /etc/selinux/config.  It is failing because
>>>>> /etc/selinux/config
>>>>> does not exist and /bin/sh exits with failure (/bin/bash does not
>>>>> interestingly enough).
>>>>>
>>>>> This was reported earlier here:
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1723118
>>>> For reference, here are some other BZs that I've ran into while trying
>>>> to come up with my own fixes to this issue:
>>>>
>>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1732132
>>>>
>>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1665643
>>>>
>>>>
>>>>> and the suggestion made to add:
>>>>>
>>>>> Requires(post): selinux-policy
>>>>>
>>>>> since selinux-policy owns /etc/selinux/config.  However, selinux-
>>>>> policy
>>>>> creates /etc/selinux/config in its own %post, and Requires(post) only
>>>>> guarantees that the package's contents are installed, not that its
>>>>> scripts are
>>>>> complete.
>>>>>
>>>>> So, what's the best way to fix this?  We need /etc/selinux/policy to
>>>>> be
>>>>> present and populated with SELINUXTYPE=targeted for the selinux
>>>>> policy modules
>>>>> to be installed properly.
>>>>>
>>>>> selinux-policy does:
>>>>>
>>>>> %post
>>>>> if [ ! -s /etc/selinux/config ]; then
>>>>> #
>>>>> #     New install so we will default to targeted policy
>>>>> #
>>>>> echo "
>>>>> # This file controls the state of SELinux on the system.
>>>>> # SELINUX= can take one of these three values:
>>>>> #     enforcing - SELinux security policy is enforced.
>>>>> #     permissive - SELinux prints warnings instead of enforcing.
>>>>> #     disabled - No SELinux policy is loaded.
>>>>> SELINUX=enforcing
>>>>> # SELINUXTYPE= can take one of these three values:
>>>>> #     targeted - Targeted processes are protected,
>>>>> #     minimum - Modification of targeted policy. Only selected
>>>>> processes are
>>>>> protected.
>>>>> #     mls - Multi Level Security protection.
>>>>> SELINUXTYPE=targeted
>>>>>
>>>>> " > /etc/selinux/config
>>>>>
>>>>>       ln -sf ../selinux/config /etc/sysconfig/selinux
>>>>>       restorecon /etc/selinux/config 2> /dev/null || :
>>>>> else
>>>>>       . /etc/selinux/config
>>>>> fi
>>>>> exit 0
>>>>>
>>>>> But can't this be achieved simply with:
>>>>>
>>>>> %config(noreplace) %{_sysconfdir}/selinux/config
>>>>>
>>>>> New installs would get the default config, but otherwise you would
>>>>> get a
>>>>> .rpmnew file.
>>>>>
>>>>> However, I realize that nothing is particularly simple about SELinux
>>>>> so there
>>>>> are probably things I'm not aware of that prevent this.
>>>>>
>>>>> PS - the else code seems to be a no-op.
>>>> Back when I was trying to find my own fixes, I managed to fix one
>>>> portion of the %post selinux that was enough to solve my own problems,
>>>> but this issue you're seeing is one that I wasn't able to find a fix
>>>> for myself. I've love to see a resolution to this.
>>>>
>>>> _______________________________________________
>>>> devel mailing list --devel@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email todevel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>
>>>
>>> _______________________________________________
>>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>
>>
>> --
>> Orion Poplawski
>> Manager of NWRA Technical Systems          720-772-5637
>> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
>> 3380 Mitchell Lane                       orion@xxxxxxxx
>> Boulder, CO 80301                 https://www.nwra.com/
>>
>> _______________________________________________
>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux