package review?

[Michael Thomas]

Paul Howarth wrote:
> On Thu, 2006-07-27 at 16:57 -0700, Michael Thomas wrote:
>> I played around with this a bit, and I think that the -selinux 
>> subpackage should Requires: the package that it applies to.  If you
>>  install the -selinux package first, then the base package, the
>> newly installed base package files don't get relabeled and the
>> policy won't have any effect.
> 
> 
> If the selinux package includes the appropriate file contexts in the
> .fc file, installing it first has the advantage that RPM will label
> the main package's files correctly at install time and no relabelling
> is necessary at all.

This isn't working for me if the main package and -selinux package are
in the same rpm transaction.

I have a set of packages on FC5 with this:

%post selinux
semodule -i %{_datadir}/selinux/packages/xpilotd/xpilotd.pp || :
/sbin/restorecon -R %{_bindir}/xpilot-ng-meta || :

The rpm transaction installs the -selinux subpackage first, which
installs the xpilot policy file which has a file context for
/usr/bin/xpilot-ng-meta.  But when rpm installs the main package next in
the transaction, the xpilot-ng-meta file does not get labelled correctly.

However, if I install these packages in separate transactions, then the
file gets labelled correctly regardless of which order the packages get
installed.  It almost seems as if the selinux policy does not really
take effect until after the rpm transaction has finished, even though
semodule -i was called in %post.

Adding 'Requires: %{name}' to the -selinux subpackage does seem to fix
the problem, however, as it seems to force the installation of the
-selinux package last, which relabels things correctly.

--Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060728/1315983e/attachment.bin>