On 11/3/19 9:38 AM, Dridi Boukelmoune wrote: > On Sat, Nov 2, 2019 at 2:21 AM Orion Poplawski <orion@xxxxxxxx> wrote: >> >> On 11/1/19 1:47 PM, Daniel Walsh wrote: >>> Flat pack should be doing a requires(post): selinux-policy-base >>> >>> To make sure it is installed before flatpack. >> >> Thanks. The proper incantation actually though seems to be: >> >> %{?selinux_requires} >> >> which contains that. See: >> >> https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble > > I have used this successfully for EPEL 7 work at $DAYJOB and woud have > pointed this out earlier if I hadn't fallen off the devel list for the > past few weeks. > > Revisiting this on Fedora 31 I still see this: > > $ rpm --eval %selinux_requires | grep git > BuildRequires: git > > And I can't help but wonder whether we really need git at build time > as this slows down the build root creation step. > > Any idea from SELinux folks? > Hi, It looks like some leftover from the past. I don't really see why it should be there. This commit removes that: https://github.com/fedora-selinux/selinux-policy-macros/commit/5f366657da0c7c67f2448be03620581437c2dfbb Fixing it also in Rawhide and F31. Thanks, Lukas. > Thanks, > Dridi > >> This works because the selinux-policy-base providing packages have a: >> >> Requires(pre): selinux-policy >> >> which pushes that earlier. I'm still not entirely convinced that that >> creates a contract that selinux-policy's %post script will be run before >> the flatpak-selinux's %post script, but hopefully in practice it won't >> matter. >> >> I've created https://src.fedoraproject.org/rpms/flatpak/pull-request/5 >> >>> On 11/1/19 2:51 PM, Tim Zabel wrote: >>>> On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote: >>>>> My F31 kickstart install is failing with: >>>>> >>>>> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux >>>> Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing >>>> :( >>>> >>>> Just to be sure, are you building the kickstart with SELinux set to >>>> permissive? It won't work if it's in Enforcing. >>>> >>>>> This is because flapak-selinux installs a SELinux module in %post: >>>>> >>>>> %post selinux >>>>> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 >>>>> >>>>> which sources /etc/selinux/config. It is failing because >>>>> /etc/selinux/config >>>>> does not exist and /bin/sh exits with failure (/bin/bash does not >>>>> interestingly enough). >>>>> >>>>> This was reported earlier here: >>>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1723118 >>>> For reference, here are some other BZs that I've ran into while trying >>>> to come up with my own fixes to this issue: >>>> >>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1732132 >>>> >>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1665643 >>>> >>>> >>>>> and the suggestion made to add: >>>>> >>>>> Requires(post): selinux-policy >>>>> >>>>> since selinux-policy owns /etc/selinux/config. However, selinux- >>>>> policy >>>>> creates /etc/selinux/config in its own %post, and Requires(post) only >>>>> guarantees that the package's contents are installed, not that its >>>>> scripts are >>>>> complete. >>>>> >>>>> So, what's the best way to fix this? We need /etc/selinux/policy to >>>>> be >>>>> present and populated with SELINUXTYPE=targeted for the selinux >>>>> policy modules >>>>> to be installed properly. >>>>> >>>>> selinux-policy does: >>>>> >>>>> %post >>>>> if [ ! -s /etc/selinux/config ]; then >>>>> # >>>>> # New install so we will default to targeted policy >>>>> # >>>>> echo " >>>>> # This file controls the state of SELinux on the system. >>>>> # SELINUX= can take one of these three values: >>>>> # enforcing - SELinux security policy is enforced. >>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>> # disabled - No SELinux policy is loaded. >>>>> SELINUX=enforcing >>>>> # SELINUXTYPE= can take one of these three values: >>>>> # targeted - Targeted processes are protected, >>>>> # minimum - Modification of targeted policy. Only selected >>>>> processes are >>>>> protected. >>>>> # mls - Multi Level Security protection. >>>>> SELINUXTYPE=targeted >>>>> >>>>> " > /etc/selinux/config >>>>> >>>>> ln -sf ../selinux/config /etc/sysconfig/selinux >>>>> restorecon /etc/selinux/config 2> /dev/null || : >>>>> else >>>>> . /etc/selinux/config >>>>> fi >>>>> exit 0 >>>>> >>>>> But can't this be achieved simply with: >>>>> >>>>> %config(noreplace) %{_sysconfdir}/selinux/config >>>>> >>>>> New installs would get the default config, but otherwise you would >>>>> get a >>>>> .rpmnew file. >>>>> >>>>> However, I realize that nothing is particularly simple about SELinux >>>>> so there >>>>> are probably things I'm not aware of that prevent this. >>>>> >>>>> PS - the else code seems to be a no-op. >>>> Back when I was trying to find my own fixes, I managed to fix one >>>> portion of the %post selinux that was enough to solve my own problems, >>>> but this issue you're seeing is one that I wasn't able to find a fix >>>> for myself. I've love to see a resolution to this. >>>> >>>> _______________________________________________ >>>> devel mailing list --devel@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email todevel-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives:https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx >>> >>> >>> >>> _______________________________________________ >>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx >>> >> >> >> -- >> Orion Poplawski >> Manager of NWRA Technical Systems 720-772-5637 >> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >> 3380 Mitchell Lane orion@xxxxxxxx >> Boulder, CO 80301 https://www.nwra.com/ >> >> _______________________________________________ >> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx