[Freeipa-devel] [PATCH 0223] Update Fedora SPEC file for v4.0 (RPM expert needed)

Petr Spacek pspacek at redhat.com
Fri Feb 21 11:10:15 UTC 2014 

On 21.2.2014 11:05, Tomas Hozza wrote:
> On 02/21/2014 10:46 AM, Petr Spacek wrote:
>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found that we
>> need to enable SELinux boolean named_write_master_zones otherwise the plugin
>> will not be able to write journal files to /var/named.
>>
>> I have asked Miroslav Grepl <mgrepl at redhat.com> for advice and his
>> recommendation is to use another context for our dyndb-ldap sub-directory or
>> to enable named_write_master_zones.
>>
>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
>>
>> I have decided to use more generic named_write_master_zones because it will be
>> need for DNSSEC key management anyway.
>>
>> Miroslav told me that it is allowed to change SELinux booleans in RPM
>> scriptlets - it is normal operation - but that we have to disable the boolean
>> during package un-installation.
>>
>> Please review %post and %postun sections in SPEC file.
>>
>> Thank you!
>>
>> -- Petr^2 Spacek
>>
>>
>>
>>  From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
>> From: Petr Spacek <pspacek at redhat.com>
>> Date: Fri, 21 Feb 2014 10:35:35 +0100
>> Subject: [PATCH] Update to 4.0.
>>
>> Signed-off-by: Petr Spacek <pspacek at redhat.com>
>> ---
>>   bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
>>   1 file changed, 24 insertions(+), 7 deletions(-)
>>
>> =======================================
>>
>> diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
>> index 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b 100644
>>
>> --- a/bind-dyndb-ldap.spec
>>
>> +++ b/bind-dyndb-ldap.spec
>>
>> @@ -1,26 +1,22 @@
>>
>> -#%define PATCHVER P4
>> -#%define PREVER 20121009git6a86b1
>> -#%define VERSION %{version}-%{PATCHVER}
>> -#%define VERSION %{version}-%{PREVER}
>> %define VERSION %{version}
>> Name: bind-dyndb-ldap
>> -Version: 3.5
>> +Version: 4.0
>> Release: 1%{?dist}
>> Summary: LDAP back-end plug-in for BIND
>> Group: System Environment/Libraries
>> License: GPLv2+
>> URL: https://fedorahosted.org/bind-dyndb-ldap
>> Source0:
>> https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
>> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>> -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
>> +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
>> BuildRequires: krb5-devel
>> BuildRequires: openldap-devel
>> BuildRequires: automake, autoconf, libtool
>> -Requires: bind >= 32:9.6.1-0.3.b1
>> +Requires: bind >= 32:9.9.0-1
>> %description
>> This package provides an LDAP back-end plug-in for BIND. It features
>>
>> @@ -41,25 +37,45 @@
>>
>> make %{?_smp_mflags}
>> %install
>> rm -rf %{buildroot}
>> make install DESTDIR=%{buildroot}
>> +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
>> # Remove unwanted files
>> rm %{buildroot}%{_libdir}/bind/ldap.la
>> rm -r %{buildroot}%{_datadir}/doc/%{name}
>> +# SELinux boolean named_write_master_zones has to be enabled
>> +# otherwise plugin will not be able to write to /var/named
>> +%post
>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
>> + echo "Enabling SELinux boolean named_write_master_zones"
>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true
>
> I think you should redirect all output from the setsebool to /dev/null
> so it does not produce any output during the "yum install". The same
> for the "echo" I'm not sure if it should be there, but I didn't find any
> rule in packaging guidelines that is prohibiting you from doing so.

I don't understand what is the point. I guess that it is an anachronism from 
old times when RPM have problems with that.

If you don't insist (or find any rule about this) I will let the output as is.

IMHO it is much much better to show to user what went wrong instead of telling 
just "post scriptlet failed".


> It is also "common" to use ":" instead of "true" after OR, but this is
> a cosmetic thing.
Done.

>
> You can find more information (if you didn't already) here:
> https://fedoraproject.org/wiki/Packaging:ScriptletSnippets
>
>> +fi
>> +
>> +
>> +%postun
>> +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
>> + echo "Disabling SELinux boolean named_write_master_zones"
>> + /usr/sbin/setsebool -P named_write_master_zones=0 || true
>
> The same as above...
>
>> +fi
>> +
>> +
>> %clean
>> rm -rf %{buildroot}
>> %files
>> %defattr(-,root,root,-)
>> %doc NEWS README COPYING doc/{example.ldif,schema}
>> +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
>> %{_libdir}/bind/ldap.so
>> %changelog
>> +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
>> +- update to 4.0
>> +
>> * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
>> - update to 3.5
>> --
>>
>> 1.8.5.3
>
> Regards,
>
> Tomas

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list