On 11/3/19 9:38 AM, Dridi Boukelmoune wrote:
> On Sat, Nov 2, 2019 at 2:21 AM Orion Poplawski <or...@nwra.com> wrote:
>>
>> On 11/1/19 1:47 PM, Daniel Walsh wrote:
>>> Flat pack should be doing a requires(post): selinux-policy-base
>>>
>>> To make sure it is installed before flatpack.
>>
>> Thanks. The proper incantation actually though seems to be:
>>
>> %{?selinux_requires}
>>
>> which contains that. See:
>>
>> https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble
>
> I have used this successfully for EPEL 7 work at $DAYJOB and woud have
> pointed this out earlier if I hadn't fallen off the devel list for the
> past few weeks.
>
> Revisiting this on Fedora 31 I still see this:
>
> $ rpm --eval %selinux_requires | grep git
> BuildRequires: git
>
> And I can't help but wonder whether we really need git at build time
> as this slows down the build root creation step.
>
> Any idea from SELinux folks?
> Hi, It looks like some leftover from the past. I don't really see why it should be there. This commit removes that: https://github.com/fedora-selinux/selinux-policy-macros/commit/5f366657da0c7c67f2448be03620581437c2dfbb Fixing it also in Rawhide and F31. Thanks, Lukas. > Thanks, > Dridi > >> This works because the selinux-policy-base providing packages have a: >> >> Requires(pre): selinux-policy >> >> which pushes that earlier. I'm still not entirely convinced that that >> creates a contract that selinux-policy's %post script will be run before >> the flatpak-selinux's %post script, but hopefully in practice it won't >> matter. >> >> I've created https://src.fedoraproject.org/rpms/flatpak/pull-request/5 >> >>> On 11/1/19 2:51 PM, Tim Zabel wrote: >>>> On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote: >>>>> My F31 kickstart install is failing with: >>>>> >>>>> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux >>>> Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing >>>> :( >>>> >>>> Just to be sure, are you building the kickstart with SELinux set to >>>> permissive? It won't work if it's in Enforcing. >>>> >>>>> This is because flapak-selinux installs a SELinux module in %post: >>>>> >>>>> %post selinux >>>>> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 >>>>> >>>>> which sources /etc/selinux/config. It is failing because >>>>> /etc/selinux/config >>>>> does not exist and /bin/sh exits with failure (/bin/bash does not >>>>> interestingly enough). >>>>> >>>>> This was reported earlier here: >>>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1723118 >>>> For reference, here are some other BZs that I've ran into while trying >>>> to come up with my own fixes to this issue: >>>> >>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1732132 >>>> >>>> *https://bugzilla.redhat.com/show_bug.cgi?id=1665643 >>>> >>>> >>>>> and the suggestion made to add: >>>>> >>>>> Requires(post): selinux-policy >>>>> >>>>> since selinux-policy owns /etc/selinux/config. However, selinux- >>>>> policy >>>>> creates /etc/selinux/config in its own %post, and Requires(post) only >>>>> guarantees that the package's contents are installed, not that its >>>>> scripts are >>>>> complete. >>>>> >>>>> So, what's the best way to fix this? We need /etc/selinux/policy to >>>>> be >>>>> present and populated with SELINUXTYPE=targeted for the selinux >>>>> policy modules >>>>> to be installed properly. >>>>> >>>>> selinux-policy does: >>>>> >>>>> %post >>>>> if [ ! -s /etc/selinux/config ]; then >>>>> # >>>>> # New install so we will default to targeted policy >>>>> # >>>>> echo " >>>>> # This file controls the state of SELinux on the system. >>>>> # SELINUX= can take one of these three values: >>>>> # enforcing - SELinux security policy is enforced. >>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>> # disabled - No SELinux policy is loaded. >>>>> SELINUX=enforcing >>>>> # SELINUXTYPE= can take one of these three values: >>>>> # targeted - Targeted processes are protected, >>>>> # minimum - Modification of targeted policy. Only selected >>>>> processes are >>>>> protected. >>>>> # mls - Multi Level Security protection. >>>>> SELINUXTYPE=targeted >>>>> >>>>> " > /etc/selinux/config >>>>> >>>>> ln -sf ../selinux/config /etc/sysconfig/selinux >>>>> restorecon /etc/selinux/config 2> /dev/null || : >>>>> else >>>>> . /etc/selinux/config >>>>> fi >>>>> exit 0 >>>>> >>>>> But can't this be achieved simply with: >>>>> >>>>> %config(noreplace) %{_sysconfdir}/selinux/config >>>>> >>>>> New installs would get the default config, but otherwise you would >>>>> get a >>>>> .rpmnew file. >>>>> >>>>> However, I realize that nothing is particularly simple about SELinux >>>>> so there >>>>> are probably things I'm not aware of that prevent this. >>>>> >>>>> PS - the else code seems to be a no-op. >>>> Back when I was trying to find my own fixes, I managed to fix one >>>> portion of the %post selinux that was enough to solve my own problems, >>>> but this issue you're seeing is one that I wasn't able to find a fix >>>> for myself. I've love to see a resolution to this. >>>> >>>> _______________________________________________ >>>> devel mailing list --devel@lists.fedoraproject.org >>>> To unsubscribe send an email todevel-le...@lists.fedoraproject.org >>>> Fedora Code of >>>> Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List >>>> Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org >>> >>> >>> >>> _______________________________________________ >>> devel mailing list -- devel@lists.fedoraproject.org >>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org >>> >> >> >> -- >> Orion Poplawski >> Manager of NWRA Technical Systems 720-772-5637 >> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >> 3380 Mitchell Lane or...@nwra.com >> Boulder, CO 80301 https://www.nwra.com/ >> >> _______________________________________________ >> devel mailing list -- devel@lists.fedoraproject.org >> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
