-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Peter.
See comments below... On 02/21/2014 10:46 AM, Petr Spacek wrote: > Hello list, > > I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found that we > need to enable SELinux boolean named_write_master_zones otherwise the plugin > will not be able to write journal files to /var/named. > > I have asked Miroslav Grepl <[email protected]> for advice and his > recommendation is to use another context for our dyndb-ldap sub-directory or > to enable named_write_master_zones. > > (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333) > > I have decided to use more generic named_write_master_zones because it will > be > need for DNSSEC key management anyway. > > Miroslav told me that it is allowed to change SELinux booleans in RPM > scriptlets - it is normal operation - but that we have to disable the boolean > during package un-installation. > > Please review %post and %postun sections in SPEC file. > > Thank you! > > -- Petr^2 Spacek > > > > From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001 > From: Petr Spacek <[email protected]> > Date: Fri, 21 Feb 2014 10:35:35 +0100 > Subject: [PATCH] Update to 4.0. > > Signed-off-by: Petr Spacek <[email protected]> > --- > bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++------- > 1 file changed, 24 insertions(+), 7 deletions(-) > > ======================================= > > diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec > index > 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b > 100644 > > --- a/bind-dyndb-ldap.spec > > +++ b/bind-dyndb-ldap.spec > > @@ -1,26 +1,22 @@ > > -#%define PATCHVER P4 > -#%define PREVER 20121009git6a86b1 > -#%define VERSION %{version}-%{PATCHVER} > -#%define VERSION %{version}-%{PREVER} > %define VERSION %{version} > Name: bind-dyndb-ldap > -Version: 3.5 > +Version: 4.0 > Release: 1%{?dist} > Summary: LDAP back-end plug-in for BIND > Group: System Environment/Libraries > License: GPLv2+ > URL: https://fedorahosted.org/bind-dyndb-ldap > Source0: > https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2 > BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) > -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1 > +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1 > BuildRequires: krb5-devel > BuildRequires: openldap-devel > BuildRequires: automake, autoconf, libtool > -Requires: bind >= 32:9.6.1-0.3.b1 > +Requires: bind >= 32:9.9.0-1 > %description > This package provides an LDAP back-end plug-in for BIND. It features > > @@ -41,25 +37,45 @@ > > make %{?_smp_mflags} > %install > rm -rf %{buildroot} > make install DESTDIR=%{buildroot} > +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap > # Remove unwanted files > rm %{buildroot}%{_libdir}/bind/ldap.la > rm -r %{buildroot}%{_datadir}/doc/%{name} > +# SELinux boolean named_write_master_zones has to be enabled > +# otherwise plugin will not be able to write to /var/named > +%post > +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then > + echo "Enabling SELinux boolean named_write_master_zones" > + /usr/sbin/setsebool -P named_write_master_zones=1 || true I think you should redirect all output from the setsebool to /dev/null so it does not produce any output during the "yum install". The same for the "echo" I'm not sure if it should be there, but I didn't find any rule in packaging guidelines that is prohibiting you from doing so. It is also "common" to use ":" instead of "true" after OR, but this is a cosmetic thing. You can find more information (if you didn't already) here: https://fedoraproject.org/wiki/Packaging:ScriptletSnippets > +fi > + > + > +%postun > +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then > + echo "Disabling SELinux boolean named_write_master_zones" > + /usr/sbin/setsebool -P named_write_master_zones=0 || true The same as above... > +fi > + > + > %clean > rm -rf %{buildroot} > %files > %defattr(-,root,root,-) > %doc NEWS README COPYING doc/{example.ldif,schema} > +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap > %{_libdir}/bind/ldap.so > %changelog > +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1 > +- update to 4.0 > + > * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1 > - update to 3.5 > -- > > 1.8.5.3 Regards, Tomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTByT9AAoJEMWIetUdnzwtbW0H/38n6O3KKuwbwZgV+SVToZLE CIu7RvzLcLejhVyi8ncVrFUs4jS6xl4Uf2t9OmGjQlkuHECjXu/0Nz1Rkher2fZh c4qyvKrpBaKXpcWtOHEdOKBCKEjq2Qjque1c4zeklSIqtJL5qqrLjcJGrtET5p8C hFy3+FrnvY2va+vK1NJMFfvQ0qhU2OGOJG6SKrsOJcVy1GIVX3dRAMYL1mPyKlb3 LazBqa7vgWkw9ZwSzMH/5CMrih6te7DeEzCsTsXQY4oMGEro+2VoTMaVhNMu19jb DuxUUG8AbPwh1p8yhhppf0s8gXZnKPGzBBnezkC6KBXmw3ppnUm8DLeclcNlrPU= =6o0G -----END PGP SIGNATURE----- _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
