Michael Thomas wrote:
> Paul Howarth wrote:
>
>>On Thu, 2006-07-27 at 16:57 -0700, Michael Thomas wrote:
>>
>>>I played around with this a bit, and I think that the -selinux
>>>subpackage should Requires: the package that it applies to. If you
>>> install the -selinux package first, then the base package, the
>>>newly installed base package files don't get relabeled and the
>>>policy won't have any effect.
>>
>>
>>If the selinux package includes the appropriate file contexts in the
>>.fc file, installing it first has the advantage that RPM will label
>>the main package's files correctly at install time and no relabelling
>>is necessary at all.
>
>
> This isn't working for me if the main package and -selinux package are
> in the same rpm transaction.
>
> I have a set of packages on FC5 with this:
>
> %post selinux
> semodule -i %{_datadir}/selinux/packages/xpilotd/xpilotd.pp || :
> /sbin/restorecon -R %{_bindir}/xpilot-ng-meta || :
>
> The rpm transaction installs the -selinux subpackage first, which
> installs the xpilot policy file which has a file context for
> /usr/bin/xpilot-ng-meta. But when rpm installs the main package next in
> the transaction, the xpilot-ng-meta file does not get labelled correctly.
>
> However, if I install these packages in separate transactions, then the
> file gets labelled correctly regardless of which order the packages get
> installed. It almost seems as if the selinux policy does not really
> take effect until after the rpm transaction has finished, even though
> semodule -i was called in %post.
>
> Adding 'Requires: %{name}' to the -selinux subpackage does seem to fix
> the problem, however, as it seems to force the installation of the
> -selinux package last, which relabels things correctly.
...and I can reliably reproduce the problem by forcing the incorrect
ordering by adding 'Requires: %{name}-selinux' to the main package.
--Mike
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
