[Freeipa-devel] [PATCH 0223] Update Fedora SPEC file for v4.0 (RPM expert needed)
Petr Spacek
pspacek at redhat.com
Fri Feb 21 12:37:56 UTC 2014
On 21.2.2014 13:02, Tomas Hozza wrote:
> On 02/21/2014 12:54 PM, Tomas Hozza wrote:
>> On 02/21/2014 12:10 PM, Petr Spacek wrote:
>>> On 21.2.2014 11:05, Tomas Hozza wrote:
>>>> On 02/21/2014 10:46 AM, Petr Spacek wrote:
>>>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found
>>>>> that we
>>>>> need to enable SELinux boolean named_write_master_zones otherwise the
>>>>> plugin
>>>>> will not be able to write journal files to /var/named.
>>>>>
>>>>> I have asked Miroslav Grepl <mgrepl at redhat.com> for advice and his
>>>>> recommendation is to use another context for our dyndb-ldap
>>>>> sub-directory or
>>>>> to enable named_write_master_zones.
>>>>>
>>>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
>>>>>
>>>>> I have decided to use more generic named_write_master_zones because
>>>>> it will be
>>>>> need for DNSSEC key management anyway.
>>>>>
>>>>> Miroslav told me that it is allowed to change SELinux booleans in RPM
>>>>> scriptlets - it is normal operation - but that we have to disable the
>>>>> boolean
>>>>> during package un-installation.
>>>>>
>>>>> Please review %post and %postun sections in SPEC file.
>>>>>
>>>>> Thank you!
>>>>>
>>>>> -- Petr^2 Spacek
>>>>> +%post
>>>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
>
> I just noticed that you are setting the SELinux option ONLY when
> installing the package. I think you want to set it also if updating
> the package from older version...
>
> So you should use "-ge" instead of "-eq".
Good catch! Fixes patch is attached.
According to
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Syntax
the condition is redundant so I replaced it with a comment about intended effect.
>>>>> + echo "Enabling SELinux boolean named_write_master_zones"
>>>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true
>>>>
>>>> I think you should redirect all output from the setsebool to /dev/null
>>>> so it does not produce any output during the "yum install". The same
>>>> for the "echo" I'm not sure if it should be there, but I didn't find any
>>>> rule in packaging guidelines that is prohibiting you from doing so.
>>
>>> I don't understand what is the point. I guess that it is an anachronism
>>> from old times when RPM have problems with that.
>>
>>> If you don't insist (or find any rule about this) I will let the output
>>> as is.
>>
>>> IMHO it is much much better to show to user what went wrong instead of
>>> telling just "post scriptlet failed".
>>
>> I don't insist on this. However from my point of view at least the
>> STDOUT should be discarded. You may leave the STDERR as is.
setsebool prints nothing anyway (unless there is an problem). I think that
SELinux policy is sensitive enough so any error/warning should be visible to a
user.
>> Keep in mind that user using graphical installation tool will not
>> see those outputs anyway.
I would call it a bug in the GUI tool. As far as I remember from Synaptic
utility (on Debian) have had a button like "Show me log". It seems perfectly
reasonable to me. However, I have never seen any graphical package manager for
Fedora :-)
--
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0223-2-Update-Fedora-SPEC-file-for-v4.0.patch
Type: text/x-patch
Size: 2976 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140221/fd39a736/attachment.bin>
More information about the Freeipa-devel
mailing list