[Freeipa-devel] [PATCH 0223] Update Fedora SPEC file for v4.0 (RPM expert needed)

Fri Feb 21 12:42:55 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2014 01:37 PM, Petr Spacek wrote:
> On 21.2.2014 13:02, Tomas Hozza wrote:
>> On 02/21/2014 12:54 PM, Tomas Hozza wrote:
>>> On 02/21/2014 12:10 PM, Petr Spacek wrote:
>>>> On 21.2.2014 11:05, Tomas Hozza wrote:
>>>>> On 02/21/2014 10:46 AM, Petr Spacek wrote:
>>>>>> I want to release bind-dyndb-ldap 4.0 to Fedora 20+ but I have found
>>>>>> that we
>>>>>> need to enable SELinux boolean named_write_master_zones otherwise the
>>>>>> plugin
>>>>>> will not be able to write journal files to /var/named.
>>>>>>
>>>>>> I have asked Miroslav Grepl <mgrepl at redhat.com> for advice and his
>>>>>> recommendation is to use another context for our dyndb-ldap
>>>>>> sub-directory or
>>>>>> to enable named_write_master_zones.
>>>>>>
>>>>>> (See https://bugzilla.redhat.com/show_bug.cgi?id=1066333)
>>>>>>
>>>>>> I have decided to use more generic named_write_master_zones because
>>>>>> it will be
>>>>>> need for DNSSEC key management anyway.
>>>>>>
>>>>>> Miroslav told me that it is allowed to change SELinux booleans in RPM
>>>>>> scriptlets - it is normal operation - but that we have to disable the
>>>>>> boolean
>>>>>> during package un-installation.
>>>>>>
>>>>>> Please review %post and %postun sections in SPEC file.
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> -- Petr^2 Spacek
> 
> 
>>>>>> +%post
>>>>>> +if [ "0$1" -eq "1" ] && [ -x "/usr/sbin/setsebool" ] ; then
>>
>> I just noticed that you are setting the SELinux option ONLY when
>> installing the package. I think you want to set it also if updating
>> the package from older version...
>>
>> So you should use "-ge" instead of "-eq".
> 
> Good catch! Fixes patch is attached.
> 
> According to
> https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Syntax
> the condition is redundant so I replaced it with a comment about
> intended effect.
> 
>>>>>> + echo "Enabling SELinux boolean named_write_master_zones"
>>>>>> + /usr/sbin/setsebool -P named_write_master_zones=1 || true
>>>>>
>>>>> I think you should redirect all output from the setsebool to /dev/null
>>>>> so it does not produce any output during the "yum install". The same
>>>>> for the "echo" I'm not sure if it should be there, but I didn't
>>>>> find any
>>>>> rule in packaging guidelines that is prohibiting you from doing so.
>>>
>>>> I don't understand what is the point. I guess that it is an anachronism
>>>> from old times when RPM have problems with that.
>>>
>>>> If you don't insist (or find any rule about this) I will let the output
>>>> as is.
>>>
>>>> IMHO it is much much better to show to user what went wrong instead of
>>>> telling just "post scriptlet failed".
>>>
>>> I don't insist on this. However from my point of view at least the
>>> STDOUT should be discarded. You may leave the STDERR as is.
> 
> setsebool prints nothing anyway (unless there is an problem). I think
> that SELinux policy is sensitive enough so any error/warning should be
> visible to a user.
> 
>>> Keep in mind that user using graphical installation tool will not
>>> see those outputs anyway.
> 
> I would call it a bug in the GUI tool. As far as I remember from
> Synaptic utility (on Debian) have had a button like "Show me log". It
> seems perfectly reasonable to me. However, I have never seen any
> graphical package manager for Fedora :-)
> 

Changes to the SPEC look good now.

ACK from my side.

Regards,

Tomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTB0nPAAoJEMWIetUdnzwtONwIAJpc7mB1ptP7k6Ma6B8vv/55
IW9+YI4o9VydxhsW/2BHNsunX52/VT/bG1XKGhDtk5obK0QUudFj6nVFcwvm3wfM
oImt0+4W/ALPJho28wil4IdRopJL72k0nssbCc6CudtafvCU/bAPYRrY6GtT8Aol
yQh3dn2jsmqM7Vd0TUvU+zSm6Uo2ir3Lv7evubo9bGKUzWODy95XTjFy9QOBi26x
0UpKRrO4147bO19LLTM5gPyUUmZvTRxQAGcwhnpZwPY8+zr86lT4mmmmBoeKwAOC
Bl96gAuwzhmQPxJXZZvYtUYeuDiaVhnQW3qC0QbYFQB1rAt7a3SKpyj/hEHec/c=
=9hLp
-----END PGP SIGNATURE-----