On Sat, Nov 2, 2019 at 2:21 AM Orion Poplawski <orion(a)nwra.com> wrote:
On 11/1/19 1:47 PM, Daniel Walsh wrote:
> Flat pack should be doing a requires(post): selinux-policy-base
>
> To make sure it is installed before flatpack.
Thanks. The proper incantation actually though seems to be:
%{?selinux_requires}
which contains that. See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_Preamble
I have used this successfully for EPEL 7 work at $DAYJOB and woud have
pointed this out earlier if I hadn't fallen off the devel list for the
past few weeks.
Revisiting this on Fedora 31 I still see this:
$ rpm --eval %selinux_requires | grep git
BuildRequires: git
And I can't help but wonder whether we really need git at build time
as this slows down the build root creation step.
Any idea from SELinux folks?
Thanks,
Dridi
> This works because the selinux-policy-base providing packages have a:
>
> Requires(pre): selinux-policy
>
> which pushes that earlier. I'm still not entirely convinced that that
> creates a contract that selinux-policy's %post script will be run before
> the flatpak-selinux's %post script, but hopefully in practice it won't
> matter.
>
> I've created
https://src.fedoraproject.org/rpms/flatpak/pull-request/5
>
> > On 11/1/19 2:51 PM, Tim Zabel wrote:
> >> On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote:
> >>> My F31 kickstart install is failing with:
> >>>
> >>> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
> >> Hmm, I've also ran into this issue of flatpak-selinux's POSTIN
failing
> >> :(
> >>
> >> Just to be sure, are you building the kickstart with SELinux set to
> >> permissive? It won't work if it's in Enforcing.
> >>
> >>> This is because flapak-selinux installs a SELinux module in %post:
> >>>
> >>> %post selinux
> >>> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
> >>>
> >>> which sources /etc/selinux/config. It is failing because
> >>> /etc/selinux/config
> >>> does not exist and /bin/sh exits with failure (/bin/bash does not
> >>> interestingly enough).
> >>>
> >>> This was reported earlier here:
> >>>
> >>>
https://bugzilla.redhat.com/show_bug.cgi?id=1723118
> >> For reference, here are some other BZs that I've ran into while trying
> >> to come up with my own fixes to this issue:
> >>
> >> *https://bugzilla.redhat.com/show_bug.cgi?id=1732132
> >>
> >> *https://bugzilla.redhat.com/show_bug.cgi?id=1665643
> >>
> >>
> >>> and the suggestion made to add:
> >>>
> >>> Requires(post): selinux-policy
> >>>
> >>> since selinux-policy owns /etc/selinux/config. However, selinux-
> >>> policy
> >>> creates /etc/selinux/config in its own %post, and Requires(post) only
> >>> guarantees that the package's contents are installed, not that its
> >>> scripts are
> >>> complete.
> >>>
> >>> So, what's the best way to fix this? We need /etc/selinux/policy
to
> >>> be
> >>> present and populated with SELINUXTYPE=targeted for the selinux
> >>> policy modules
> >>> to be installed properly.
> >>>
> >>> selinux-policy does:
> >>>
> >>> %post
> >>> if [ ! -s /etc/selinux/config ]; then
> >>> #
> >>> # New install so we will default to targeted policy
> >>> #
> >>> echo "
> >>> # This file controls the state of SELinux on the system.
> >>> # SELINUX= can take one of these three values:
> >>> # enforcing - SELinux security policy is enforced.
> >>> # permissive - SELinux prints warnings instead of enforcing.
> >>> # disabled - No SELinux policy is loaded.
> >>> SELINUX=enforcing
> >>> # SELINUXTYPE= can take one of these three values:
> >>> # targeted - Targeted processes are protected,
> >>> # minimum - Modification of targeted policy. Only selected
> >>> processes are
> >>> protected.
> >>> # mls - Multi Level Security protection.
> >>> SELINUXTYPE=targeted
> >>>
> >>> " > /etc/selinux/config
> >>>
> >>> ln -sf ../selinux/config /etc/sysconfig/selinux
> >>> restorecon /etc/selinux/config 2> /dev/null || :
> >>> else
> >>> . /etc/selinux/config
> >>> fi
> >>> exit 0
> >>>
> >>> But can't this be achieved simply with:
> >>>
> >>> %config(noreplace) %{_sysconfdir}/selinux/config
> >>>
> >>> New installs would get the default config, but otherwise you would
> >>> get a
> >>> .rpmnew file.
> >>>
> >>> However, I realize that nothing is particularly simple about SELinux
> >>> so there
> >>> are probably things I'm not aware of that prevent this.
> >>>
> >>> PS - the else code seems to be a no-op.
> >> Back when I was trying to find my own fixes, I managed to fix one
> >> portion of the %post selinux that was enough to solve my own problems,
> >> but this issue you're seeing is one that I wasn't able to find a
fix
> >> for myself. I've love to see a resolution to this.
> >>
> >> _______________________________________________
> >> devel mailing list --devel(a)lists.fedoraproject.org
> >> To unsubscribe send an email todevel-leave(a)lists.fedoraproject.org
> >> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedora...
> >
> >
> >
> > _______________________________________________
> > devel mailing list -- devel(a)lists.fedoraproject.org
> > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> >
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion(a)nwra.com
> Boulder, CO 80301
https://www.nwra.com/
>
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org