Flat pack should be doing a requires(post): selinux-policy-base To make sure it is installed before flatpack. On 11/1/19 2:51 PM, Tim Zabel wrote: > On Fri, 2019-11-01 at 12:02 -0600, Orion Poplawski wrote: >> My F31 kickstart install is failing with: >> >> DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux > Hmm, I've also ran into this issue of flatpak-selinux's POSTIN failing > :( > > Just to be sure, are you building the kickstart with SELinux set to > permissive? It won't work if it's in Enforcing. > >> This is because flapak-selinux installs a SELinux module in %post: >> >> %post selinux >> %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 >> >> which sources /etc/selinux/config. It is failing because >> /etc/selinux/config >> does not exist and /bin/sh exits with failure (/bin/bash does not >> interestingly enough). >> >> This was reported earlier here: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1723118 > For reference, here are some other BZs that I've ran into while trying > to come up with my own fixes to this issue: > > * https://bugzilla.redhat.com/show_bug.cgi?id=1732132 > > * https://bugzilla.redhat.com/show_bug.cgi?id=1665643 > > >> and the suggestion made to add: >> >> Requires(post): selinux-policy >> >> since selinux-policy owns /etc/selinux/config. However, selinux- >> policy >> creates /etc/selinux/config in its own %post, and Requires(post) only >> guarantees that the package's contents are installed, not that its >> scripts are >> complete. >> >> So, what's the best way to fix this? We need /etc/selinux/policy to >> be >> present and populated with SELINUXTYPE=targeted for the selinux >> policy modules >> to be installed properly. >> >> selinux-policy does: >> >> %post >> if [ ! -s /etc/selinux/config ]; then >> # >> # New install so we will default to targeted policy >> # >> echo " >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> # SELINUXTYPE= can take one of these three values: >> # targeted - Targeted processes are protected, >> # minimum - Modification of targeted policy. Only selected >> processes are >> protected. >> # mls - Multi Level Security protection. >> SELINUXTYPE=targeted >> >> " > /etc/selinux/config >> >> ln -sf ../selinux/config /etc/sysconfig/selinux >> restorecon /etc/selinux/config 2> /dev/null || : >> else >> . /etc/selinux/config >> fi >> exit 0 >> >> But can't this be achieved simply with: >> >> %config(noreplace) %{_sysconfdir}/selinux/config >> >> New installs would get the default config, but otherwise you would >> get a >> .rpmnew file. >> >> However, I realize that nothing is particularly simple about SELinux >> so there >> are probably things I'm not aware of that prevent this. >> >> PS - the else code seems to be a no-op. > Back when I was trying to find my own fixes, I managed to fix one > portion of the %post selinux that was enough to solve my own problems, > but this issue you're seeing is one that I wasn't able to find a fix > for myself. I've love to see a resolution to this. > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org