-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Peter.

See comments below...

On 02/21/2014 10:46 AM, Petr Spacek wrote:
> Hello list,
> 
> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found that we 
> need to enable SELinux boolean named_write_master_zones otherwise the plugin 
> will not be able to write journal files to /var/named.
> 
> I have asked Miroslav Grepl <mgr...@redhat.com> for advice and his 
> recommendation is to use another context for our dyndb-ldap sub-directory or 
> to enable named_write_master_zones.
> 
> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
> 
> I have decided to use more generic named_write_master_zones because it will 
> be 
> need for DNSSEC key management anyway.
> 
> Miroslav told me that it is allowed to change SELinux booleans in RPM 
> scriptlets - it is normal operation - but that we have to disable the boolean 
> during package un-installation.
> 
> Please review %post and %postun sections in SPEC file.
> 
> Thank you!
> 
> -- Petr^2 Spacek
> 
> 
> 
> From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
> From: Petr Spacek <pspa...@redhat.com>
> Date: Fri, 21 Feb 2014 10:35:35 +0100
> Subject: [PATCH] Update to 4.0.
> 
> Signed-off-by: Petr Spacek <pspa...@redhat.com>
> ---
>  bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
>  1 file changed, 24 insertions(+), 7 deletions(-)
> 
> =======================================
> 
> diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
> index 
> 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b
>  100644
> 
> --- a/bind-dyndb-ldap.spec
> 
> +++ b/bind-dyndb-ldap.spec
> 
> @@ -1,26 +1,22 @@
> 
> -#%define PATCHVER P4
> -#%define PREVER 20121009git6a86b1
> -#%define VERSION %{version}-%{PATCHVER}
> -#%define VERSION %{version}-%{PREVER}
> %define VERSION %{version}
> Name: bind-dyndb-ldap
> -Version: 3.5
> +Version: 4.0
> Release: 1%{?dist}
> Summary: LDAP back-end plug-in for BIND
> Group: System Environment/Libraries
> License: GPLv2+
> URL: https://fedorahosted.org/bind-dyndb-ldap
> Source0:
> https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
> +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
> BuildRequires: krb5-devel
> BuildRequires: openldap-devel
> BuildRequires: automake, autoconf, libtool
> -Requires: bind >= 32:9.6.1-0.3.b1
> +Requires: bind >= 32:9.9.0-1
> %description
> This package provides an LDAP back-end plug-in for BIND. It features
> 
> @@ -41,25 +37,45 @@
> 
> make %{?_smp_mflags}
> %install
> rm -rf %{buildroot}
> make install DESTDIR=%{buildroot}
> +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
> # Remove unwanted files
> rm %{buildroot}%{_libdir}/bind/ldap.la
> rm -r %{buildroot}%{_datadir}/doc/%{name}
> +# SELinux boolean named_write_master_zones has to be enabled
> +# otherwise plugin will not be able to write to /var/named
> +%post
> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
> + echo "Enabling SELinux boolean named_write_master_zones"
> + /usr/sbin/setsebool -P named_write_master_zones=1 || true

I think you should redirect all output from the setsebool to /dev/null
so it does not produce any output during the "yum install". The same
for the "echo" I'm not sure if it should be there, but I didn't find any
rule in packaging guidelines that is prohibiting you from doing so.

It is also "common" to use ":" instead of "true" after OR, but this is
a cosmetic thing.

You can find more information (if you didn't already) here:
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets

> +fi
> +
> +
> +%postun
> +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
> + echo "Disabling SELinux boolean named_write_master_zones"
> + /usr/sbin/setsebool -P named_write_master_zones=0 || true

The same as above...

> +fi
> +
> +
> %clean
> rm -rf %{buildroot}
> %files
> %defattr(-,root,root,-)
> %doc NEWS README COPYING doc/{example.ldif,schema}
> +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
> %{_libdir}/bind/ldap.so
> %changelog
> +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
> +- update to 4.0
> +
> * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
> - update to 3.5
> -- 
> 
> 1.8.5.3

Regards,

Tomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTByT9AAoJEMWIetUdnzwtbW0H/38n6O3KKuwbwZgV+SVToZLE
CIu7RvzLcLejhVyi8ncVrFUs4jS6xl4Uf2t9OmGjQlkuHECjXu/0Nz1Rkher2fZh
c4qyvKrpBaKXpcWtOHEdOKBCKEjq2Qjque1c4zeklSIqtJL5qqrLjcJGrtET5p8C
hFy3+FrnvY2va+vK1NJMFfvQ0qhU2OGOJG6SKrsOJcVy1GIVX3dRAMYL1mPyKlb3
LazBqa7vgWkw9ZwSzMH/5CMrih6te7DeEzCsTsXQY4oMGEro+2VoTMaVhNMu19jb
DuxUUG8AbPwh1p8yhhppf0s8gXZnKPGzBBnezkC6KBXmw3ppnUm8DLeclcNlrPU=
=6o0G
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to