On 21.2.2014 11:05, Tomas Hozza wrote:
On 02/21/2014 10:46 AM, Petr Spacek wrote:
I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found that we
need to enable SELinux boolean named_write_master_zones otherwise the plugin
will not be able to write journal files to /var/named.

I have asked Miroslav Grepl <mgr...@redhat.com> for advice and his
recommendation is to use another context for our dyndb-ldap sub-directory or
to enable named_write_master_zones.

(See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)

I have decided to use more generic named_write_master_zones because it will be
need for DNSSEC key management anyway.

Miroslav told me that it is allowed to change SELinux booleans in RPM
scriptlets - it is normal operation - but that we have to disable the boolean
during package un-installation.

Please review %post and %postun sections in SPEC file.

Thank you!

-- Petr^2 Spacek



 From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Fri, 21 Feb 2014 10:35:35 +0100
Subject: [PATCH] Update to 4.0.

Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
  bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++-------
  1 file changed, 24 insertions(+), 7 deletions(-)

=======================================

diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
index 
85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b
 100644

--- a/bind-dyndb-ldap.spec

+++ b/bind-dyndb-ldap.spec

@@ -1,26 +1,22 @@

-#%define PATCHVER P4
-#%define PREVER 20121009git6a86b1
-#%define VERSION %{version}-%{PATCHVER}
-#%define VERSION %{version}-%{PREVER}
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version: 3.5
+Version: 4.0
Release: 1%{?dist}
Summary: LDAP back-end plug-in for BIND
Group: System Environment/Libraries
License: GPLv2+
URL: https://fedorahosted.org/bind-dyndb-ldap
Source0:
https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: bind-devel >= 32:9.6.1-0.3.b1
+BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: automake, autoconf, libtool
-Requires: bind >= 32:9.6.1-0.3.b1
+Requires: bind >= 32:9.9.0-1
%description
This package provides an LDAP back-end plug-in for BIND. It features

@@ -41,25 +37,45 @@

make %{?_smp_mflags}
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
+mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
# Remove unwanted files
rm %{buildroot}%{_libdir}/bind/ldap.la
rm -r %{buildroot}%{_datadir}/doc/%{name}
+# SELinux boolean named_write_master_zones has to be enabled
+# otherwise plugin will not be able to write to /var/named
+%post
+if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
+ echo "Enabling SELinux boolean named_write_master_zones"
+ /usr/sbin/setsebool -P named_write_master_zones=1 || true

I think you should redirect all output from the setsebool to /dev/null
so it does not produce any output during the "yum install". The same
for the "echo" I'm not sure if it should be there, but I didn't find any
rule in packaging guidelines that is prohibiting you from doing so.

I don't understand what is the point. I guess that it is an anachronism from old times when RPM have problems with that.

If you don't insist (or find any rule about this) I will let the output as is.

IMHO it is much much better to show to user what went wrong instead of telling just "post scriptlet failed".


It is also "common" to use ":" instead of "true" after OR, but this is
a cosmetic thing.
Done.


You can find more information (if you didn't already) here:
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets

+fi
+
+
+%postun
+if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
+ echo "Disabling SELinux boolean named_write_master_zones"
+ /usr/sbin/setsebool -P named_write_master_zones=0 || true

The same as above...

+fi
+
+
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%doc NEWS README COPYING doc/{example.ldif,schema}
+%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
%{_libdir}/bind/ldap.so
%changelog
+* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1
+- update to 4.0
+
* Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1
- update to 3.5
--

1.8.5.3

Regards,

Tomas

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to