Flat pack should be doing a requires(post): selinux-policy-base
To make sure it is installed before flatpack.
On 11/1/19 2:51 PM, Tim Zabel wrote:
> On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote:
>> My F31 kickstart install is failing with:
>>
>> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
> Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing
> :(
>
> Just to be sure, are you building the kickstart with SELinux set to
> permissive? It won't work if it's in Enforcing.
>
>> This is because flapak-selinux installs a SELinux module in %post:
>>
>> %post selinux
>> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
>>
>> which sources /etc/selinux/config. It is failing because
>> /etc/selinux/config
>> does not exist and /bin/sh exits with failure (/bin/bash does not
>> interestingly enough).
>>
>> This was reported earlier here:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1723118
> For reference, here are some other BZs that I've ran into while trying
> to come up with my own fixes to this issue:
>
> * https://bugzilla.redhat.com/show_bug.cgi?id=1732132
>
> * https://bugzilla.redhat.com/show_bug.cgi?id=1665643
>
>
>> and the suggestion made to add:
>>
>> Requires(post): selinux-policy
>>
>> since selinux-policy owns /etc/selinux/config. However, selinux-
>> policy
>> creates /etc/selinux/config in its own %post, and Requires(post) only
>> guarantees that the package's contents are installed, not that its
>> scripts are
>> complete.
>>
>> So, what's the best way to fix this? We need /etc/selinux/policy to
>> be
>> present and populated with SELINUXTYPE=targeted for the selinux
>> policy modules
>> to be installed properly.
>>
>> selinux-policy does:
>>
>> %post
>> if [ ! -s /etc/selinux/config ]; then
>> #
>> # New install so we will default to targeted policy
>> #
>> echo "
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enforcing
>> # SELINUXTYPE= can take one of these three values:
>> # targeted - Targeted processes are protected,
>> # minimum - Modification of targeted policy. Only selected
>> processes are
>> protected.
>> # mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
>>
>> " > /etc/selinux/config
>>
>> ln -sf ../selinux/config /etc/sysconfig/selinux
>> restorecon /etc/selinux/config 2> /dev/null || :
>> else
>> . /etc/selinux/config
>> fi
>> exit 0
>>
>> But can't this be achieved simply with:
>>
>> %config(noreplace) %{_sysconfdir}/selinux/config
>>
>> New installs would get the default config, but otherwise you would
>> get a
>> .rpmnew file.
>>
>> However, I realize that nothing is particularly simple about SELinux
>> so there
>> are probably things I'm not aware of that prevent this.
>>
>> PS - the else code seems to be a no-op.
> Back when I was trying to find my own fixes, I managed to fix one
> portion of the %post selinux that was enough to solve my own problems,
> but this issue you're seeing is one that I wasn't able to find a fix
> for myself. I've love to see a resolution to this.
>
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
