- Gives necessary file context permissions to @localstatedir@/lib/matahari
Signed-off-by: Adam Stokes astokes@fedoraproject.org --- matahari.spec.in | 27 +++++++++++++++++++++++++-- 1 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/matahari.spec.in b/matahari.spec.in index aae23c0..9973a75 100644 --- a/matahari.spec.in +++ b/matahari.spec.in @@ -93,6 +93,7 @@ Summary: C++ library used by Matahari agents Group: Applications/System Requires: %{name}-lib = %{version}-%{release} Requires: qpid-cpp-client-ssl > 0.7 +Requires: %{name}-selinux
%description agent-lib C++ library containing the base class for Matahari agents @@ -162,6 +163,16 @@ Requires: %{name}-agent-lib = %{version}-%{release} %description consoles QMF console for monitoring various agents
+%package selinux +Summary: SElinux support for Matahari +Requires: %{name} = %{version}-%{release} +Requires: policycoreutils +Requires: selinux-policy-targeted +BuildRequires: selinux-policy-devel + +%description selinux +Configures Matahari to run in SELinux enabled environments. + %prep %setup -q -n matahari-matahari-%{upstream_version}
@@ -183,8 +194,8 @@ make DESTDIR=%{buildroot} install %{__install} matahari-broker.sysconf $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/matahari-broker %{__ln_s} qpidd $RPM_BUILD_ROOT/%{_sbindir}/matahari-brokerd
-%{__install} -d -m0755 %{buildroot}%{_localstatedir}/lib/%{name} -%{__install} -d -m0755 %{buildroot}%{_localstatedir}/run/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name} %endif
%post -n matahari-lib -p /sbin/ldconfig @@ -195,6 +206,15 @@ make DESTDIR=%{buildroot} install # Can't use -p, gives: '/sbin/ldconfig: relative path `0' used to build cache' error /sbin/ldconfig
+%post selinux +semanage fcontext -a -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || : +restorecon -R '%{_localstatedir}/lib/%{name}' || : + +%postun selinux +if [ $1 -eq 0 ]; then + semanage fcontext -d -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || : +fi + %if %{with qmf} #== Host
@@ -406,6 +426,9 @@ test "x%{buildroot}" != "x" && rm -rf %{buildroot} %exclude %{_sysconfdir}/matahari-broker.conf %endif
+%files selinux +%defattr(-,root,root,-) + %files devel %defattr(644, root, root, 755) %doc AUTHORS COPYING
Signed-off-by: Adam Stokes astokes@fedoraproject.org --- src/lib/sysconfig_linux.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lib/sysconfig_linux.c b/src/lib/sysconfig_linux.c index 91e1b72..a809267 100644 --- a/src/lib/sysconfig_linux.c +++ b/src/lib/sysconfig_linux.c @@ -63,7 +63,7 @@ sysconfig_os_run_puppet(const char *uri, const char *data) { gboolean ret; GError *error = NULL; - gchar *cmd[3]; + gchar *cmd[4]; char filename[PATH_MAX]; int fd; FILE *fp; @@ -92,8 +92,9 @@ sysconfig_os_run_puppet(const char *uri, const char *data) }
cmd[0] = "puppet"; - cmd[1] = filename; - cmd[2] = NULL; + cmd[1] = "apply"; + cmd[2] = filename; + cmd[3] = NULL; mh_info("Running %s %s", cmd[0], cmd[1]); ret = g_spawn_async(NULL, cmd, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, &error);
ACK
Testing ftw ;-)
-- Russell Bryant
On Mon, Aug 15, 2011 at 11:58 AM, Adam Stokes astokes@fedoraproject.org wrote:
Signed-off-by: Adam Stokes astokes@fedoraproject.org
src/lib/sysconfig_linux.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lib/sysconfig_linux.c b/src/lib/sysconfig_linux.c index 91e1b72..a809267 100644 --- a/src/lib/sysconfig_linux.c +++ b/src/lib/sysconfig_linux.c @@ -63,7 +63,7 @@ sysconfig_os_run_puppet(const char *uri, const char *data) { gboolean ret; GError *error = NULL;
- gchar *cmd[3];
- gchar *cmd[4];
char filename[PATH_MAX]; int fd; FILE *fp; @@ -92,8 +92,9 @@ sysconfig_os_run_puppet(const char *uri, const char *data) }
cmd[0] = "puppet";
- cmd[1] = filename;
- cmd[2] = NULL;
- cmd[1] = "apply";
- cmd[2] = filename;
- cmd[3] = NULL;
mh_info("Running %s %s", cmd[0], cmd[1]); ret = g_spawn_async(NULL, cmd, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, &error); -- 1.7.6
Matahari mailing list Matahari@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/matahari
Actually, it looks like there might be a puppet version issue here. We have the docs for "puppet apply" here:
http://docs.puppetlabs.com/man/apply.html
but that does not appear to be the way it works with the version of puppet I have installed on Fedora 15. It looks like just "puppet <file>" is the right command there.
Can you look into this a bit more? We may have to do some magic to determine which version of puppet we're working against ...
-- Russell Bryant
On Mon, Aug 15, 2011 at 12:17 PM, Russell Bryant russell@russellbryant.net wrote:
ACK
Testing ftw ;-)
-- Russell Bryant
On Mon, Aug 15, 2011 at 11:58 AM, Adam Stokes astokes@fedoraproject.org wrote:
Signed-off-by: Adam Stokes astokes@fedoraproject.org
src/lib/sysconfig_linux.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lib/sysconfig_linux.c b/src/lib/sysconfig_linux.c index 91e1b72..a809267 100644 --- a/src/lib/sysconfig_linux.c +++ b/src/lib/sysconfig_linux.c @@ -63,7 +63,7 @@ sysconfig_os_run_puppet(const char *uri, const char *data) { gboolean ret; GError *error = NULL;
- gchar *cmd[3];
- gchar *cmd[4];
char filename[PATH_MAX]; int fd; FILE *fp; @@ -92,8 +92,9 @@ sysconfig_os_run_puppet(const char *uri, const char *data) }
cmd[0] = "puppet";
- cmd[1] = filename;
- cmd[2] = NULL;
- cmd[1] = "apply";
- cmd[2] = filename;
- cmd[3] = NULL;
mh_info("Running %s %s", cmd[0], cmd[1]); ret = g_spawn_async(NULL, cmd, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, &error); -- 1.7.6
Matahari mailing list Matahari@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/matahari
ACK
-- Russell Bryant
On Mon, Aug 15, 2011 at 11:58 AM, Adam Stokes astokes@fedoraproject.org wrote:
- Gives necessary file context permissions to @localstatedir@/lib/matahari
Signed-off-by: Adam Stokes astokes@fedoraproject.org
matahari.spec.in | 27 +++++++++++++++++++++++++-- 1 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/matahari.spec.in b/matahari.spec.in index aae23c0..9973a75 100644 --- a/matahari.spec.in +++ b/matahari.spec.in @@ -93,6 +93,7 @@ Summary: C++ library used by Matahari agents Group: Applications/System Requires: %{name}-lib = %{version}-%{release} Requires: qpid-cpp-client-ssl > 0.7 +Requires: %{name}-selinux
%description agent-lib C++ library containing the base class for Matahari agents @@ -162,6 +163,16 @@ Requires: %{name}-agent-lib = %{version}-%{release} %description consoles QMF console for monitoring various agents
+%package selinux +Summary: SElinux support for Matahari +Requires: %{name} = %{version}-%{release} +Requires: policycoreutils +Requires: selinux-policy-targeted +BuildRequires: selinux-policy-devel
+%description selinux +Configures Matahari to run in SELinux enabled environments.
%prep %setup -q -n matahari-matahari-%{upstream_version}
@@ -183,8 +194,8 @@ make DESTDIR=%{buildroot} install %{__install} matahari-broker.sysconf $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/matahari-broker %{__ln_s} qpidd $RPM_BUILD_ROOT/%{_sbindir}/matahari-brokerd
-%{__install} -d -m0755 %{buildroot}%{_localstatedir}/lib/%{name} -%{__install} -d -m0755 %{buildroot}%{_localstatedir}/run/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name} %endif
%post -n matahari-lib -p /sbin/ldconfig @@ -195,6 +206,15 @@ make DESTDIR=%{buildroot} install # Can't use -p, gives: '/sbin/ldconfig: relative path `0' used to build cache' error /sbin/ldconfig
+%post selinux +semanage fcontext -a -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || : +restorecon -R '%{_localstatedir}/lib/%{name}' || :
+%postun selinux +if [ $1 -eq 0 ]; then
- semanage fcontext -d -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || :
+fi
%if %{with qmf} #== Host
@@ -406,6 +426,9 @@ test "x%{buildroot}" != "x" && rm -rf %{buildroot} %exclude %{_sysconfdir}/matahari-broker.conf %endif
+%files selinux +%defattr(-,root,root,-)
%files devel %defattr(644, root, root, 755) %doc AUTHORS COPYING -- 1.7.6
Matahari mailing list Matahari@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/matahari
This shouldn't work.
Since -agent-libs requires -selinux, I would expect that yum would install -selinux first. At which point the restorecon command would fail or have no effect since %{_localstatedir}/lib/%{name} wont exist yet.
Something needs to change
On Tue, Aug 16, 2011 at 1:58 AM, Adam Stokes astokes@fedoraproject.org wrote:
- Gives necessary file context permissions to @localstatedir@/lib/matahari
Signed-off-by: Adam Stokes astokes@fedoraproject.org
matahari.spec.in | 27 +++++++++++++++++++++++++-- 1 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/matahari.spec.in b/matahari.spec.in index aae23c0..9973a75 100644 --- a/matahari.spec.in +++ b/matahari.spec.in @@ -93,6 +93,7 @@ Summary: C++ library used by Matahari agents Group: Applications/System Requires: %{name}-lib = %{version}-%{release} Requires: qpid-cpp-client-ssl > 0.7 +Requires: %{name}-selinux
%description agent-lib C++ library containing the base class for Matahari agents @@ -162,6 +163,16 @@ Requires: %{name}-agent-lib = %{version}-%{release} %description consoles QMF console for monitoring various agents
+%package selinux +Summary: SElinux support for Matahari +Requires: %{name} = %{version}-%{release} +Requires: policycoreutils +Requires: selinux-policy-targeted +BuildRequires: selinux-policy-devel
+%description selinux +Configures Matahari to run in SELinux enabled environments.
%prep %setup -q -n matahari-matahari-%{upstream_version}
@@ -183,8 +194,8 @@ make DESTDIR=%{buildroot} install %{__install} matahari-broker.sysconf $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/matahari-broker %{__ln_s} qpidd $RPM_BUILD_ROOT/%{_sbindir}/matahari-brokerd
-%{__install} -d -m0755 %{buildroot}%{_localstatedir}/lib/%{name} -%{__install} -d -m0755 %{buildroot}%{_localstatedir}/run/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/%{name} +%{__install} -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name} %endif
%post -n matahari-lib -p /sbin/ldconfig @@ -195,6 +206,15 @@ make DESTDIR=%{buildroot} install # Can't use -p, gives: '/sbin/ldconfig: relative path `0' used to build cache' error /sbin/ldconfig
+%post selinux +semanage fcontext -a -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || : +restorecon -R '%{_localstatedir}/lib/%{name}' || :
+%postun selinux +if [ $1 -eq 0 ]; then
- semanage fcontext -d -t qpidd_var_lib_t '%{_localstatedir}/lib/%{name}(/.*)?' >/dev/null 2>&1 || :
+fi
%if %{with qmf} #== Host
@@ -406,6 +426,9 @@ test "x%{buildroot}" != "x" && rm -rf %{buildroot} %exclude %{_sysconfdir}/matahari-broker.conf %endif
+%files selinux +%defattr(-,root,root,-)
%files devel %defattr(644, root, root, 755) %doc AUTHORS COPYING -- 1.7.6
Matahari mailing list Matahari@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/matahari
On Mon, Aug 15, 2011 at 7:19 PM, Andrew Beekhof andrew@beekhof.net wrote:
This shouldn't work.
Since -agent-libs requires -selinux, I would expect that yum would install -selinux first. At which point the restorecon command would fail or have no effect since %{_localstatedir}/lib/%{name} wont exist yet.
Something needs to change
I fixed this last night. However, based on Roman's comments, this may be more broken on a fundamental level.
On 08/15/2011 05:58 PM, Adam Stokes wrote:
- Gives necessary file context permissions to @localstatedir@/lib/matahari
I thought that this is a work of some selinux package provided in distro's package list. In Fedora it is some selinux-policy package I guess. At least it is how it is working in Fedora. I'm not sure about other distros.
Maybe I missed some discussion earlier about selinux, but from mine POV this doesn't look good.
RR
matahari@lists.fedorahosted.org