-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2014 12:54 PM, Tomas Hozza wrote: > On 02/21/2014 12:10 PM, Petr Spacek wrote: >> On 21.2.2014 11:05, Tomas Hozza wrote: >>> On 02/21/2014 10:46 AM, Petr Spacek wrote: >>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found >>>> that we >>>> need to enable SELinux boolean named_write_master_zones otherwise the >>>> plugin >>>> will not be able to write journal files to /var/named. >>>> >>>> I have asked Miroslav Grepl <mgr...@redhat.com> for advice and his >>>> recommendation is to use another context for our dyndb-ldap >>>> sub-directory or >>>> to enable named_write_master_zones. >>>> >>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333) >>>> >>>> I have decided to use more generic named_write_master_zones because >>>> it will be >>>> need for DNSSEC key management anyway. >>>> >>>> Miroslav told me that it is allowed to change SELinux booleans in RPM >>>> scriptlets - it is normal operation - but that we have to disable the >>>> boolean >>>> during package un-installation. >>>> >>>> Please review %post and %postun sections in SPEC file. >>>> >>>> Thank you! >>>> >>>> -- Petr^2 Spacek >>>> >>>> >>>> >>>> From a7329ae3459a135eff2897d3de9da607280b4615 Mon Sep 17 00:00:00 2001 >>>> From: Petr Spacek <pspa...@redhat.com> >>>> Date: Fri, 21 Feb 2014 10:35:35 +0100 >>>> Subject: [PATCH] Update to 4.0. >>>> >>>> Signed-off-by: Petr Spacek <pspa...@redhat.com> >>>> --- >>>> bind-dyndb-ldap.spec | 31 ++++++++++++++++++++++++------- >>>> 1 file changed, 24 insertions(+), 7 deletions(-) >>>> >>>> ======================================= >>>> >>>> diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec >>>> index >>>> 85b59e40035a35276ee0997764cdd976a8716df5..cbe6b7c76327a9df8e49d4acf925be8f9c1da29b >>>> 100644 >>>> >>>> --- a/bind-dyndb-ldap.spec >>>> >>>> +++ b/bind-dyndb-ldap.spec >>>> >>>> @@ -1,26 +1,22 @@ >>>> >>>> -#%define PATCHVER P4 >>>> -#%define PREVER 20121009git6a86b1 >>>> -#%define VERSION %{version}-%{PATCHVER} >>>> -#%define VERSION %{version}-%{PREVER} >>>> %define VERSION %{version} >>>> Name: bind-dyndb-ldap >>>> -Version: 3.5 >>>> +Version: 4.0 >>>> Release: 1%{?dist} >>>> Summary: LDAP back-end plug-in for BIND >>>> Group: System Environment/Libraries >>>> License: GPLv2+ >>>> URL: https://fedorahosted.org/bind-dyndb-ldap >>>> Source0: >>>> https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2 >>>> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} >>>> -n) >>>> -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1 >>>> +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1 >>>> BuildRequires: krb5-devel >>>> BuildRequires: openldap-devel >>>> BuildRequires: automake, autoconf, libtool >>>> -Requires: bind >= 32:9.6.1-0.3.b1 >>>> +Requires: bind >= 32:9.9.0-1 >>>> %description >>>> This package provides an LDAP back-end plug-in for BIND. It features >>>> >>>> @@ -41,25 +37,45 @@ >>>> >>>> make %{?_smp_mflags} >>>> %install >>>> rm -rf %{buildroot} >>>> make install DESTDIR=%{buildroot} >>>> +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap >>>> # Remove unwanted files >>>> rm %{buildroot}%{_libdir}/bind/ldap.la >>>> rm -r %{buildroot}%{_datadir}/doc/%{name} >>>> +# SELinux boolean named_write_master_zones has to be enabled >>>> +# otherwise plugin will not be able to write to /var/named >>>> +%post >>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
I just noticed that you are setting the SELinux option ONLY when installing the package. I think you want to set it also if updating the package from older version... So you should use "-ge" instead of "-eq". >>>> + echo "Enabling SELinux boolean named_write_master_zones" >>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true >>> >>> I think you should redirect all output from the setsebool to /dev/null >>> so it does not produce any output during the "yum install". The same >>> for the "echo" I'm not sure if it should be there, but I didn't find any >>> rule in packaging guidelines that is prohibiting you from doing so. > >> I don't understand what is the point. I guess that it is an anachronism >> from old times when RPM have problems with that. > >> If you don't insist (or find any rule about this) I will let the output >> as is. > >> IMHO it is much much better to show to user what went wrong instead of >> telling just "post scriptlet failed". > > I don't insist on this. However from my point of view at least the > STDOUT should be discarded. You may leave the STDERR as is. > > Keep in mind that user using graphical installation tool will not > see those outputs anyway. > > > >>> It is also "common" to use ":" instead of "true" after OR, but this is >>> a cosmetic thing. >> Done. > >>> >>> You can find more information (if you didn't already) here: >>> https://fedoraproject.org/wiki/Packaging:ScriptletSnippets >>> >>>> +fi >>>> + >>>> + >>>> +%postun >>>> +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then >>>> + echo "Disabling SELinux boolean named_write_master_zones" >>>> + /usr/sbin/setsebool -P named_write_master_zones=0 || true >>> >>> The same as above... >>> >>>> +fi >>>> + >>>> + >>>> %clean >>>> rm -rf %{buildroot} >>>> %files >>>> %defattr(-,root,root,-) >>>> %doc NEWS README COPYING doc/{example.ldif,schema} >>>> +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap >>>> %{_libdir}/bind/ldap.so >>>> %changelog >>>> +* Wed Feb 19 2014 Petr Spacek <pspacek redhat com> 4.0-1 >>>> +- update to 4.0 >>>> + >>>> * Thu Jul 18 2013 Petr Spacek <pspacek redhat com> 3.5-1 >>>> - update to 3.5 >>>> -- >>>> >>>> 1.8.5.3 >>> >>> Regards, >>> >>> Tomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTB0BOAAoJEMWIetUdnzwtPHoH/j8fLJTWeiPWUDINyuJFZ9rz 3aucl5q3w0gxZlMl1E7Lg2J0/Jd/7f8VCfxeDDHSu1Tyo26e7VnGOZiq7joXRsXj bPZat5iFpI8aFRFvDBqzDz4b1PS9FMOViKlQV6a6RCHSWJWDvvcoL+PO79d1lOGd 53xzTy33nq23yggophr5PuGN2ZMF+lG6M+VhBC6zkSAIKR/GYtxKf7PS1evZp9og Z8F9brless1pqFQ5m4wFNclMggAd0127OzjCWcYWTGeTGsBHY/8pAtVrlUL3ZY8d pJMHCNCir43595OeLYSO/NUAZfxHRlGZOXhycXBLEsEawBlPp5PBhVUax9jbKcY= =ejAk -----END PGP SIGNATURE----- _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel