[Freeipa-devel] [PATCH 0223] Update Fedora SPEC file for v4.0 (RPM expert needed)

Fri Feb 21 11:54:44 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2014 12:10 PM, Petr Spacek wrote:
> On 21.2.2014 11:05, Tomas Hozza wrote:
>> On 02/21/2014 10:46 AM, Petr Spacek wrote:
>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found
>>> that we
>>> need to enable SELinux boolean named_write_master_zones otherwise the
>>> plugin
>>> will not be able to write journal files to /var/named.
>>>
>>> I have asked Miroslav Grepl <mgrepl at redhat.com> for advice and his
>>> recommendation is to use another context for our dyndb-ldap
>>> sub-directory or
>>> to enable named_write_master_zones.
>>>
>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
>>>
>>> I have decided to use more generic named_write_master_zones because
>>> it will be
>>> need for DNSSEC key management anyway.
>>>
>>> Miroslav told me that it is allowed to change SELinux booleans in RPM
>>> scriptlets - it is normal operation - but that we have to disable the
>>> boolean
>>> during package un-installation.
>>>
>>> Please review %post and %postun sections in SPEC file.
>>>
>>> Thank you!
>>>
>>> -- Petr^2 Spacek
>>>
>>>
>>>
>>>  From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
>>> From: Petr Spacek <pspacek at redhat.com>
>>> Date: Fri, 21 Feb 2014 10:35:35 +0100
>>> Subject: [PATCH] Update to 4.0.
>>>
>>> Signed-off-by: Petr Spacek <pspacek at redhat.com>
>>> ---
>>>   bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
>>>   1 file changed, 24 insertions(+), 7 deletions(-)
>>>
>>> =======================================
>>>
>>> diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
>>> index
>>> 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b
>>> 100644
>>>
>>> --- a/bind-dyndb-ldap.spec
>>>
>>> +++ b/bind-dyndb-ldap.spec
>>>
>>> @@ -1,26 +1,22 @@
>>>
>>> -#%define PATCHVER P4
>>> -#%define PREVER 20121009git6a86b1
>>> -#%define VERSION %{version}-%{PATCHVER}
>>> -#%define VERSION %{version}-%{PREVER}
>>> %define VERSION %{version}
>>> Name: bind-dyndb-ldap
>>> -Version: 3.5
>>> +Version: 4.0
>>> Release: 1%{?dist}
>>> Summary: LDAP back-end plug-in for BIND
>>> Group: System Environment/Libraries
>>> License: GPLv2+
>>> URL: https://fedorahosted.org/bind-dyndb-ldap
>>> Source0:
>>> https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
>>> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u}
>>> -n)
>>> -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
>>> +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
>>> BuildRequires: krb5-devel
>>> BuildRequires: openldap-devel
>>> BuildRequires: automake, autoconf, libtool
>>> -Requires: bind >= 32:9.6.1-0.3.b1
>>> +Requires: bind >= 32:9.9.0-1
>>> %description
>>> This package provides an LDAP back-end plug-in for BIND. It features
>>>
>>> @@ -41,25 +37,45 @@
>>>
>>> make %{?_smp_mflags}
>>> %install
>>> rm -rf %{buildroot}
>>> make install DESTDIR=%{buildroot}
>>> +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
>>> # Remove unwanted files
>>> rm %{buildroot}%{_libdir}/bind/ldap.la
>>> rm -r %{buildroot}%{_datadir}/doc/%{name}
>>> +# SELinux boolean named_write_master_zones has to be enabled
>>> +# otherwise plugin will not be able to write to /var/named
>>> +%post
>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
>>> + echo "Enabling SELinux boolean named_write_master_zones"
>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true
>>
>> I think you should redirect all output from the setsebool to /dev/null
>> so it does not produce any output during the "yum install". The same
>> for the "echo" I'm not sure if it should be there, but I didn't find any
>> rule in packaging guidelines that is prohibiting you from doing so.
> 
> I don't understand what is the point. I guess that it is an anachronism
> from old times when RPM have problems with that.
> 
> If you don't insist (or find any rule about this) I will let the output
> as is.
> 
> IMHO it is much much better to show to user what went wrong instead of
> telling just "post scriptlet failed".

I don't insist on this. However from my point of view at least the
STDOUT should be discarded. You may leave the STDERR as is.

Keep in mind that user using graphical installation tool will not
see those outputs anyway.

> 
> 
>> It is also "common" to use ":" instead of "true" after OR, but this is
>> a cosmetic thing.
> Done.
> 
>>
>> You can find more information (if you didn't already) here:
>> https://fedoraproject.org/wiki/Packaging:ScriptletSnippets
>>
>>> +fi
>>> +
>>> +
>>> +%postun
>>> +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
>>> + echo "Disabling SELinux boolean named_write_master_zones"
>>> + /usr/sbin/setsebool -P named_write_master_zones=0 || true
>>
>> The same as above...
>>
>>> +fi
>>> +
>>> +
>>> %clean
>>> rm -rf %{buildroot}
>>> %files
>>> %defattr(-,root,root,-)
>>> %doc NEWS README COPYING doc/{example.ldif,schema}
>>> +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
>>> %{_libdir}/bind/ldap.so
>>> %changelog
>>> +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
>>> +- update to 4.0
>>> +
>>> * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
>>> - update to 3.5
>>> -- 
>>>
>>> 1.8.5.3
>>
>> Regards,
>>
>> Tomas
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTBz6EAAoJEMWIetUdnzwtFekH/An6s41BL9j3vfMpOJBbREKq
67vrxdWQlar8yc1iahpa3Fny4rJ5puFxJi4BhN3foxQhrcF8alLHukYOuk8zMIXl
p9WnfXwMoxzflJb+7idHlkkKBNHl//AJ+Ej4TTL1ljwW34vjoBVVi4ag2Y23JfDU
zAFOTXCZNDRWRChjmTO62UdZTM14E4RtUAcNzfyJly7bsQkaCCBBqKf+fHgfW3v+
DKgqPr8g6HuvbrNYY1kuNDF2uL5BRcHbWJh1DQ2yKQceGlljAO68Idf2s5dN6diW
xFU8eFPkn+zwjd3nxSBFcbleTdc7NJn4xb+CFA052LSnq3yP2XTGOzyaYQtkQk4=
=aqH2
-----END PGP SIGNATURE-----