Guideline for RPM packages

KaiGai Kohei kaigai at
Mon Jul 30 15:47:01 UTC 2007

Paul Howarth wrote:
> KaiGai Kohei wrote:
>>>>> If I remember correctly, someone posted a guideline to make
>>>>> a RPM package which contains binary security policy, several
>>>>> weeks ago.
>>>>> If you know the URL, would you tell me the location?
>>>> There is a draft guide at:
>>> Thanks, so much!
>> I have a comment for the Policy Module Packaging Guideline.
>> The document says every *.pp files should be installed for any sort of policies
>> (targeted, strict, mls) in the %post section.
>> However, it can cause a problem when a part of policies are not installed yet.
>> When we try to install an application including policy package on the system
>> which has only targeted policy, installation of *.pp files for strict/mls will
>> be failed no need to say.
>> If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files
>> are not linked automatically because "/usr/bin/semodule -i" is not invoked.
>> It will cause a simple problem, but a bit difficult to find out.
>> I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link
>> orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
>> ----------------
>>   %triggerin -- selinux-policy-targeted
>>   if [ $0 -eq 1 ]; then
>>       /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || :
>>   fi
>>   %triggerin -- selinux-policy-strict
>>   if [ $0 -eq 1 ]; then
>>       /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || :
>>   fi
>>   %triggerin -- selinux-policy-mls
>>   if [ $0 -eq 1 ]; then
>>       /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || :
>>   fi
>> ----------------
>> If the application is installed on the system which already has selinux-policy-strict,
>> "%triggerin -- selinux-policy-strict" will be invoked just when the application is
>> installed, so there is no degrading.
> Looks sane to me though it would be nice if there was some way of
> expressing this once rather than duplicate it for each policy type.
> Can't think of any way of doing that though.

I tried to find a way to describe it once without a duplication,
but I could not get a good idea.

If we can describe them like as "%triggerin -- selinux-policy-*", it's better.
Please tell me, if anyone knows more appropriate way to describe.

KaiGai Kohei <kaigai at>

More information about the fedora-selinux-list mailing list