package review?

Paul Howarth paul at city-fan.org
Sat Jul 29 09:35:52 UTC 2006


On Fri, 2006-07-28 at 18:04 -0700, Michael Thomas wrote:
> Paul Howarth wrote:
> > On Thu, 2006-07-27 at 16:57 -0700, Michael Thomas wrote:
> >> I played around with this a bit, and I think that the -selinux 
> >> subpackage should Requires: the package that it applies to.  If you
> >>  install the -selinux package first, then the base package, the
> >> newly installed base package files don't get relabeled and the
> >> policy won't have any effect.
> > 
> > 
> > If the selinux package includes the appropriate file contexts in the
> > .fc file, installing it first has the advantage that RPM will label
> > the main package's files correctly at install time and no relabelling
> > is necessary at all.
> 
> This isn't working for me if the main package and -selinux package are
> in the same rpm transaction.
> 
> I have a set of packages on FC5 with this:
> 
> %post selinux
> semodule -i %{_datadir}/selinux/packages/xpilotd/xpilotd.pp || :
> /sbin/restorecon -R %{_bindir}/xpilot-ng-meta || :
> 
> The rpm transaction installs the -selinux subpackage first, which
> installs the xpilot policy file which has a file context for
> /usr/bin/xpilot-ng-meta.  But when rpm installs the main package next in
> the transaction, the xpilot-ng-meta file does not get labelled correctly.
> 
> However, if I install these packages in separate transactions, then the
> file gets labelled correctly regardless of which order the packages get
> installed.  It almost seems as if the selinux policy does not really
> take effect until after the rpm transaction has finished, even though
> semodule -i was called in %post.
> 
> Adding 'Requires: %{name}' to the -selinux subpackage does seem to fix
> the problem, however, as it seems to force the installation of the
> -selinux package last, which relabels things correctly.

You're right. I've now followed suit and split off an selinux subpackage
in my mod_fcgid example (this avoids having a dependency on
selinux-policy in the main package).

http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec

I think it's now in a fit state to start writing up the guidelines,
which I'll make a start on soon.

Paul.




More information about the fedora-selinux-list mailing list