[Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy

Martin Kosek mkosek at redhat.com
Tue Aug 25 15:12:36 UTC 2015 

On 08/25/2015 04:37 PM, Jan Cholasta wrote:
> On 25.8.2015 14:50, Alexander Bokovoy wrote:
>> On Tue, 25 Aug 2015, Jan Cholasta wrote:
>>> On 25.8.2015 14:23, Alexander Bokovoy wrote:
>>>> On Tue, 25 Aug 2015, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patch fixes
>>>>> <https://fedorahosted.org/freeipa/ticket/5256>.
>>>>>
>>>>> Honza
>>>>>
>>>>> -- 
>>>>> Jan Cholasta
>>>>
>>>>> From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
>>>>> From: Jan Cholasta <jcholast at redhat.com>
>>>>> Date: Tue, 25 Aug 2015 14:14:25 +0200
>>>>> Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
>>>>>
>>>>> This prevents ipa-server-upgrade failures on SELinux AVCs because of
>>>>> old
>>>>> selinux-policy version.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5256
>>>>> ---
>>>>> freeipa.spec.in | 1 +
>>>>> 1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in
>>>>> index cba91fe..fd73cda 100644
>>>>> --- a/freeipa.spec.in
>>>>> +++ b/freeipa.spec.in
>>>>> @@ -139,6 +139,7 @@ Requires: systemd-units >= 38
>>>>> Requires(pre): shadow-utils
>>>>> Requires(pre): systemd-units
>>>>> Requires(post): systemd-units
>>>>> +Requires(pre): selinux-policy >= %{selinux_policy_version}
>>>>> Requires: selinux-policy >= %{selinux_policy_version}
>>>>> Requires(post): selinux-policy-base
>>>>> Requires: slapi-nis >= 0.54.2-1
>>>> If we have it in Requires(pre), we don't need it in Requires, as
>>>> Requires(pre) is a superset of guarantees that Requires gives you.
>>>
>>> Martin (CCed) told me Requires(pre) does not imply Requires.
>> See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
>> ----------------
>> Since the only way out of a dependency loop is to snip the loop
>> somewhere, rpm uses hints from Requires: dependencies to distinguish
>> co-requisite (these are not needed to install, only to use, a package)
>> from pre-requisite (these are guaranteed to be installed before the
>> package that includes the dependency) relations.
>> ----------------
>>
>>>>
>>>> Requires(pre) ensures that selinux-policy of specific version is
>>>> installed before pre scripts of freeipa-server would run, be it in the
>>>> same transaction or in a previous one.
>>>>
>>>
>>> Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
>>> be changed to Required(posttrans)?
>> I don't think there is posttrans target. Perhaps, we can just make sure
>> Requires(post) is enough.
> 
> OK, let's try that. Updated patch attached.
> 

Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.

More information about the Freeipa-devel mailing list