On 21.2.2014 11:05, Tomas Hozza wrote:
On 02/21/2014 10:46 AM, Petr Spacek wrote:
I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found that we
need to enable SELinux boolean named_write_master_zones otherwise the plugin
will not be able to write journal files to /var/named.

I have asked Miroslav Grepl <mgr...@redhat.com> for advice and his
recommendation is to use another context for our dyndb-ldap sub-directory or
to enable named_write_master_zones.

(See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)

I have decided to use more generic named_write_master_zones because it will be
need for DNSSEC key management anyway.

Miroslav told me that it is allowed to change SELinux booleans in RPM
scriptlets - it is normal operation - but that we have to disable the boolean
during package un-installation.

Please review %post and %postun sections in SPEC file.

Thank you!

-- Petr^2 Spacek

 From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Fri, 21 Feb 2014 10:35:35 +0100
Subject: [PATCH] Update to 4.0.

Signed-off-by: Petr Spacek <pspa...@redhat.com>
  bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
  1 file changed, 24 insertions(+), 7 deletions(-)


diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec

--- a/bind-dyndb-ldap.spec

+++ b/bind-dyndb-ldap.spec

@@ -1,26 +1,22 @@

-#%define PATCHVER P4
-#%define PREVER 20121009git6a86b1
-#%define VERSION %{version}-%{PATCHVER}
-#%define VERSION %{version}-%{PREVER}
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version: 3.5
+Version: 4.0
Release: 1%{?dist}
Summary: LDAP back-end plug-in for BIND
Group: System Environment/Libraries
License: GPLv2+
URL: https://fedorahosted.org/bind-dyndb-ldap
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
+BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: automake, autoconf, libtool
-Requires: bind >= 32:9.6.1-0.3.b1
+Requires: bind >= 32:9.9.0-1
This package provides an LDAP back-end plug-in for BIND. It features

@@ -41,25 +37,45 @@

make %{?_smp_mflags}
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
+mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
# Remove unwanted files
rm %{buildroot}%{_libdir}/bind/ldap.la
rm -r %{buildroot}%{_datadir}/doc/%{name}
+# SELinux boolean named_write_master_zones has to be enabled
+# otherwise plugin will not be able to write to /var/named
+if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
+ echo "Enabling SELinux boolean named_write_master_zones"
+ /usr/sbin/setsebool -P named_write_master_zones=1 || true

I think you should redirect all output from the setsebool to /dev/null
so it does not produce any output during the "yum install". The same
for the "echo" I'm not sure if it should be there, but I didn't find any
rule in packaging guidelines that is prohibiting you from doing so.

I don't understand what is the point. I guess that it is an anachronism from old times when RPM have problems with that.

If you don't insist (or find any rule about this) I will let the output as is.

IMHO it is much much better to show to user what went wrong instead of telling just "post scriptlet failed".

It is also "common" to use ":" instead of "true" after OR, but this is
a cosmetic thing.

You can find more information (if you didn't already) here:

+if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
+ echo "Disabling SELinux boolean named_write_master_zones"
+ /usr/sbin/setsebool -P named_write_master_zones=0 || true

The same as above...

rm -rf %{buildroot}
%doc NEWS README COPYING doc/{example.ldif,schema}
+%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
+* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
+- update to 4.0
* Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
- update to 3.5



Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to