rpm -V selinux-policy-targeted
Jeff Johnson
n3npq at nc.rr.com
Wed Nov 24 21:13:05 UTC 2004
Daniel J Walsh wrote:
> How about something like the following.
>
> if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ]; then
> . /etc/selinux/config
> POLICYFILE=/etc/selinux/%{type}/policy/policy.18
> RPMPOLICYFILE=$POLICYFILE.rpmnew
> if [ "${SELINUXTYPE}" = "%{type}" -a /usr/sbin/selinuxenabled -a \
> -e $RPMPOLICYFILE -a \
> $RPMPOLICYFILE -nt $POLICYFILE ]; then
> diff -q $RPMPOLICYFILE $POLICYFILE > /dev/null ||
> make -C /etc/selinux/%{type}/src/policy load > /dev/null 2>&1
> fi
> fi
*.rpmnew exists iff the original file was locally modified wrto the md5
contained
within the old package metadata is what to watch out for.
Left over *.rpmnew can/will exist from previous upgrades, nuking *.rpmnew
is recommended and perhaps will simplify some logic, and avoid clock
skew issues.
inter-package existence tests like "-x /usr/sbin/selinuxenabled" are tricky
because when and where the scriptlet is run needs to be considered. You
might
just as well add a Requires: and rely on the transaction being ordered
correctly,
that is likelier to work predictably, and is a simpler script to write.
The whole scheme assumes that ${SELINUXTYPE} changes rarely, but
wot's a girl to do?
HTH Isn't rpm annoying? ;-)
73 de Jeff
More information about the fedora-selinux-list
mailing list