On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
<https://fedorahosted.org/freeipa/ticket/5256>.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units >= 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy >= %{selinux_policy_version}
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
----------------
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
----------------
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
