[Freeipa-devel] [PATCH 0223] Update Fedora SPEC file for v4.0 (RPM expert needed)

Tomas Hozza thozza at redhat.com
Fri Feb 21 12:02:23 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2014 12:54 PM, Tomas Hozza wrote:
> On 02/21/2014 12:10 PM, Petr Spacek wrote:
>> On 21.2.2014 11:05, Tomas Hozza wrote:
>>> On 02/21/2014 10:46 AM, Petr Spacek wrote:
>>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found
>>>> that we
>>>> need to enable SELinux boolean named_write_master_zones otherwise the
>>>> plugin
>>>> will not be able to write journal files to /var/named.
>>>>
>>>> I have asked Miroslav Grepl <mgrepl at redhat.com> for advice and his
>>>> recommendation is to use another context for our dyndb-ldap
>>>> sub-directory or
>>>> to enable named_write_master_zones.
>>>>
>>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
>>>>
>>>> I have decided to use more generic named_write_master_zones because
>>>> it will be
>>>> need for DNSSEC key management anyway.
>>>>
>>>> Miroslav told me that it is allowed to change SELinux booleans in RPM
>>>> scriptlets - it is normal operation - but that we have to disable the
>>>> boolean
>>>> during package un-installation.
>>>>
>>>> Please review %post and %postun sections in SPEC file.
>>>>
>>>> Thank you!
>>>>
>>>> -- Petr^2 Spacek
>>>>
>>>>
>>>>
>>>>  From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
>>>> From: Petr Spacek <pspacek at redhat.com>
>>>> Date: Fri, 21 Feb 2014 10:35:35 +0100
>>>> Subject: [PATCH] Update to 4.0.
>>>>
>>>> Signed-off-by: Petr Spacek <pspacek at redhat.com>
>>>> ---
>>>>   bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
>>>>   1 file changed, 24 insertions(+), 7 deletions(-)
>>>>
>>>> =======================================
>>>>
>>>> diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
>>>> index
>>>> 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b
>>>> 100644
>>>>
>>>> --- a/bind-dyndb-ldap.spec
>>>>
>>>> +++ b/bind-dyndb-ldap.spec
>>>>
>>>> @@ -1,26 +1,22 @@
>>>>
>>>> -#%define PATCHVER P4
>>>> -#%define PREVER 20121009git6a86b1
>>>> -#%define VERSION %{version}-%{PATCHVER}
>>>> -#%define VERSION %{version}-%{PREVER}
>>>> %define VERSION %{version}
>>>> Name: bind-dyndb-ldap
>>>> -Version: 3.5
>>>> +Version: 4.0
>>>> Release: 1%{?dist}
>>>> Summary: LDAP back-end plug-in for BIND
>>>> Group: System Environment/Libraries
>>>> License: GPLv2+
>>>> URL: https://fedorahosted.org/bind-dyndb-ldap
>>>> Source0:
>>>> https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
>>>> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u}
>>>> -n)
>>>> -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
>>>> +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
>>>> BuildRequires: krb5-devel
>>>> BuildRequires: openldap-devel
>>>> BuildRequires: automake, autoconf, libtool
>>>> -Requires: bind >= 32:9.6.1-0.3.b1
>>>> +Requires: bind >= 32:9.9.0-1
>>>> %description
>>>> This package provides an LDAP back-end plug-in for BIND. It features
>>>>
>>>> @@ -41,25 +37,45 @@
>>>>
>>>> make %{?_smp_mflags}
>>>> %install
>>>> rm -rf %{buildroot}
>>>> make install DESTDIR=%{buildroot}
>>>> +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
>>>> # Remove unwanted files
>>>> rm %{buildroot}%{_libdir}/bind/ldap.la
>>>> rm -r %{buildroot}%{_datadir}/doc/%{name}
>>>> +# SELinux boolean named_write_master_zones has to be enabled
>>>> +# otherwise plugin will not be able to write to /var/named
>>>> +%post
>>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then

I just noticed that you are setting the SELinux option ONLY when
installing the package. I think you want to set it also if updating
the package from older version...

So you should use "-ge" instead of "-eq".

>>>> + echo "Enabling SELinux boolean named_write_master_zones"
>>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true
>>>
>>> I think you should redirect all output from the setsebool to /dev/null
>>> so it does not produce any output during the "yum install". The same
>>> for the "echo" I'm not sure if it should be there, but I didn't find any
>>> rule in packaging guidelines that is prohibiting you from doing so.
> 
>> I don't understand what is the point. I guess that it is an anachronism
>> from old times when RPM have problems with that.
> 
>> If you don't insist (or find any rule about this) I will let the output
>> as is.
> 
>> IMHO it is much much better to show to user what went wrong instead of
>> telling just "post scriptlet failed".
> 
> I don't insist on this. However from my point of view at least the
> STDOUT should be discarded. You may leave the STDERR as is.
> 
> Keep in mind that user using graphical installation tool will not
> see those outputs anyway.
> 
> 
> 
>>> It is also "common" to use ":" instead of "true" after OR, but this is
>>> a cosmetic thing.
>> Done.
> 
>>>
>>> You can find more information (if you didn't already) here:
>>> https://fedoraproject.org/wiki/Packaging:ScriptletSnippets
>>>
>>>> +fi
>>>> +
>>>> +
>>>> +%postun
>>>> +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
>>>> + echo "Disabling SELinux boolean named_write_master_zones"
>>>> + /usr/sbin/setsebool -P named_write_master_zones=0 || true
>>>
>>> The same as above...
>>>
>>>> +fi
>>>> +
>>>> +
>>>> %clean
>>>> rm -rf %{buildroot}
>>>> %files
>>>> %defattr(-,root,root,-)
>>>> %doc NEWS README COPYING doc/{example.ldif,schema}
>>>> +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
>>>> %{_libdir}/bind/ldap.so
>>>> %changelog
>>>> +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
>>>> +- update to 4.0
>>>> +
>>>> * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
>>>> - update to 3.5
>>>> -- 
>>>>
>>>> 1.8.5.3
>>>
>>> Regards,
>>>
>>> Tomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTB0BOAAoJEMWIetUdnzwtPHoH/j8fLJTWeiPWUDINyuJFZ9rz
3aucl5q3w0gxZlMl1E7Lg2J0/Jd/7f8VCfxeDDHSu1Tyo26e7VnGOZiq7joXRsXj
bPZat5iFpI8aFRFvDBqzDz4b1PS9FMOViKlQV6a6RCHSWJWDvvcoL+PO79d1lOGd
53xzTy33nq23yggophr5PuGN2ZMF+lG6M+VhBC6zkSAIKR/GYtxKf7PS1evZp9og
Z8F9brless1pqFQ5m4wFNclMggAd0127OzjCWcYWTGeTGsBHY/8pAtVrlUL3ZY8d
pJMHCNCir43595OeLYSO/NUAZfxHRlGZOXhycXBLEsEawBlPp5PBhVUax9jbKcY=
=ejAk
-----END PGP SIGNATURE-----

More information about the Freeipa-devel mailing list