[Spice-devel] [PATCH] spec: call semanage in posttrans not in post
Frediano Ziglio
fziglio at redhat.com
Tue Feb 5 18:24:38 UTC 2019
> On Tue, Feb 05, 2019 at 09:30:39AM -0500, Frediano Ziglio wrote:
> > >
> > > It can happen that selinux-policy (targeted) is installed only after
> > > spice-streaming-agent (upon system installation). In that case
> > > running semanage in post scriptlet will fail.
> > >
> > > In posttrans all packages are already installed, so it should be
> > > safe to call semanage at that point.
> > >
> > > rhbz#1647789
> > >
> > > Signed-off-by: Uri Lublin <uril at redhat.com>
> > > ---
> > >
> > > In a first patch I wrote I also added a condition that
> > > checks if selinuxenabled. If people feel it's better
> > > I'll send a V2 with it.
> > >
> >
> > I see no reason why adding to selinux-policy should be a stopover
> > for this fix in the meanwhile.
> >
> > Acked-by: Frediano Ziglio <fziglio at redhat.com>
>
> Ensuring that a bug is fixed in the right place, and explaining this in
> the commit log should be a stopper though.
>
> Christophe
>
It's not clear what you are suggesting.
Adding a sentence in the commit message?
> >
> > Frediano
> >
> > > ---
> > > spice-streaming-agent.spec.in | 6 ++++--
> > > 1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/spice-streaming-agent.spec.in
> > > b/spice-streaming-agent.spec.in
> > > index 5a06e89..6b5ac22 100644
> > > --- a/spice-streaming-agent.spec.in
> > > +++ b/spice-streaming-agent.spec.in
> > > @@ -13,7 +13,7 @@ BuildRequires: catch-devel
> > > BuildRequires: pkgconfig(udev)
> > > # we need /usr/sbin/semanage program which is available on different
> > > # packages depending on distribution
> > > -Requires(post): /usr/sbin/semanage
> > > +Requires(posttrans): /usr/sbin/semanage
> > > Requires(postun): /usr/sbin/semanage
> > >
> > > %description
> > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > then
> > > find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > > fi
> > >
> > > -%post
> > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > +%posttrans
> > > semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> > > 2>/dev/null || :
> > > restorecon %{_bindir}/spice-streaming-agent || :
> > >
More information about the Spice-devel
mailing list