Re: [PATCH] spec: call semanage in posttrans not in post

Frediano Ziglio <fziglio@xxxxxxxxxx> · Tue, 5 Feb 2019 13:24:38 -0500 (EST)

> On Tue, Feb 05, 2019 at 09:30:39AM -0500, Frediano Ziglio wrote:
> > > 
> > > It can happen that selinux-policy (targeted) is installed only after
> > > spice-streaming-agent (upon system installation). In that case
> > > running semanage in post scriptlet will fail.
> > > 
> > > In posttrans all packages are already installed, so it should be
> > > safe to call semanage at that point.
> > > 
> > > rhbz#1647789
> > > 
> > > Signed-off-by: Uri Lublin <uril@xxxxxxxxxx>
> > > ---
> > > 
> > > In a first patch I wrote I also added a condition that
> > > checks if selinuxenabled. If people feel it's better
> > > I'll send a V2 with it.
> > > 
> > 
> > I see no reason why adding to selinux-policy should be a stopover
> > for this fix in the meanwhile.
> > 
> > Acked-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> 
> Ensuring that a bug is fixed in the right place, and explaining this in
> the commit log should be a stopper though.
> 
> Christophe
> 

It's not clear what you are suggesting.
Adding a sentence in the commit message?

> > 
> > Frediano
> > 
> > > ---
> > >  spice-streaming-agent.spec.in | 6 ++++--
> > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/spice-streaming-agent.spec.in
> > > b/spice-streaming-agent.spec.in
> > > index 5a06e89..6b5ac22 100644
> > > --- a/spice-streaming-agent.spec.in
> > > +++ b/spice-streaming-agent.spec.in
> > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > >  BuildRequires:  pkgconfig(udev)
> > >  # we need /usr/sbin/semanage program which is available on different
> > >  # packages depending on distribution
> > > -Requires(post): /usr/sbin/semanage
> > > +Requires(posttrans): /usr/sbin/semanage
> > >  Requires(postun): /usr/sbin/semanage
> > >  
> > >  %description
> > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > then
> > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > >  fi
> > >  
> > > -%post
> > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > +%posttrans
> > >  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> > >  2>/dev/null || :
> > >  restorecon %{_bindir}/spice-streaming-agent || :
> > >  
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel