-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2014 01:37 PM, Petr Spacek wrote: > On 21.2.2014 13:02, Tomas Hozza wrote: >> On 02/21/2014 12:54 PM, Tomas Hozza wrote: >>> On 02/21/2014 12:10 PM, Petr Spacek wrote: >>>> On 21.2.2014 11:05, Tomas Hozza wrote: >>>>> On 02/21/2014 10:46 AM, Petr Spacek wrote: >>>>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found >>>>>> that we >>>>>> need to enable SELinux boolean named_write_master_zones otherwise the >>>>>> plugin >>>>>> will not be able to write journal files to /var/named. >>>>>> >>>>>> I have asked Miroslav Grepl <[email protected]> for advice and his >>>>>> recommendation is to use another context for our dyndb-ldap >>>>>> sub-directory or >>>>>> to enable named_write_master_zones. >>>>>> >>>>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333) >>>>>> >>>>>> I have decided to use more generic named_write_master_zones because >>>>>> it will be >>>>>> need for DNSSEC key management anyway. >>>>>> >>>>>> Miroslav told me that it is allowed to change SELinux booleans in RPM >>>>>> scriptlets - it is normal operation - but that we have to disable the >>>>>> boolean >>>>>> during package un-installation. >>>>>> >>>>>> Please review %post and %postun sections in SPEC file. >>>>>> >>>>>> Thank you! >>>>>> >>>>>> -- Petr^2 Spacek > > >>>>>> +%post >>>>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then >> >> I just noticed that you are setting the SELinux option ONLY when >> installing the package. I think you want to set it also if updating >> the package from older version... >> >> So you should use "-ge" instead of "-eq". > > Good catch! Fixes patch is attached. > > According to > https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Syntax > the condition is redundant so I replaced it with a comment about > intended effect. > >>>>>> + echo "Enabling SELinux boolean named_write_master_zones" >>>>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true >>>>> >>>>> I think you should redirect all output from the setsebool to /dev/null >>>>> so it does not produce any output during the "yum install". The same >>>>> for the "echo" I'm not sure if it should be there, but I didn't >>>>> find any >>>>> rule in packaging guidelines that is prohibiting you from doing so. >>> >>>> I don't understand what is the point. I guess that it is an anachronism >>>> from old times when RPM have problems with that. >>> >>>> If you don't insist (or find any rule about this) I will let the output >>>> as is. >>> >>>> IMHO it is much much better to show to user what went wrong instead of >>>> telling just "post scriptlet failed". >>> >>> I don't insist on this. However from my point of view at least the >>> STDOUT should be discarded. You may leave the STDERR as is. > > setsebool prints nothing anyway (unless there is an problem). I think > that SELinux policy is sensitive enough so any error/warning should be > visible to a user. > >>> Keep in mind that user using graphical installation tool will not >>> see those outputs anyway. > > I would call it a bug in the GUI tool. As far as I remember from > Synaptic utility (on Debian) have had a button like "Show me log". It > seems perfectly reasonable to me. However, I have never seen any > graphical package manager for Fedora :-) >
Changes to the SPEC look good now. ACK from my side. Regards, Tomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTB0nPAAoJEMWIetUdnzwtONwIAJpc7mB1ptP7k6Ma6B8vv/55 IW9+YI4o9VydxhsW/2BHNsunX52/VT/bG1XKGhDtk5obK0QUudFj6nVFcwvm3wfM oImt0+4W/ALPJho28wil4IdRopJL72k0nssbCc6CudtafvCU/bAPYRrY6GtT8Aol yQh3dn2jsmqM7Vd0TUvU+zSm6Uo2ir3Lv7evubo9bGKUzWODy95XTjFy9QOBi26x 0UpKRrO4147bO19LLTM5gPyUUmZvTRxQAGcwhnpZwPY8+zr86lT4mmmmBoeKwAOC Bl96gAuwzhmQPxJXZZvYtUYeuDiaVhnQW3qC0QbYFQB1rAt7a3SKpyj/hEHec/c= =9hLp -----END PGP SIGNATURE----- _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
