[Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled
Martin Kosek
mkosek at redhat.com
Wed May 30 10:07:14 UTC 2012
On Tue, 2012-05-29 at 16:50 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2012-05-18 at 11:53 -0400, Rob Crittenden wrote:
> >> We don't have an explicit requires on the policycoreutils package in the
> >> client because SELinux is not required (just recommended).
> >>
> >> SELinux can be enabled without this package so check for that condition
> >> and don't allow installation if it is the case. The resulting install
> >> will be rather broken.
> >>
> >> Also check on the server when installing. This should never happen but
> >> in theory it could do the server install then fail in the client because
> >> of this.
> >>
> >> rob
> >
> > This works fine. I am just thinking if we should not rather use paths
> > in /usr/ for the check if a binary exists, i.e. check
> > for /usr/sbin/restorecon instead of /sbin/restorecon on Fedora.
> >
> > If we don't do this we need to be sure that the /sbin -> /usr/sbin
> > symlink created during UsrMove will stay on the system.
> >
> > Martin
> >
>
> Ok, that makes sense. Updated patch.
>
> rob
I think I was not entirely clear - the path /usr/sbin/restorecon shall
be used for redhat platform only. UsrMove was done only in Fedora, IIRC,
in RHEL 6.x /usr/sbin/restorecon is not a valid path to restorecon (I
don't have my RHEL 6.x VM ready ATM) and the check would always fail on
RHEL 6.x systems. Bottomline is that we may want to use a different path
to the binary on redhat and fedora16 platform.
I also think it would be useful to put the path to the binary to global
constant, so that it is not repeated so many items over the platform
files, i.e. something like that:
ipapython/platform/redhat.py:
RESTORECON_PATH='/sbin/restorecon'
...
ipapython/platform/fedora16.py:
RESTORECON_PATH='/usr/sbin/restorecon'
...
Martin
More information about the Freeipa-devel
mailing list