[Spice-devel] [PATCH] spec: call semanage in posttrans not in post

Daniel P. Berrangé berrange at redhat.com
Thu Jan 31 15:16:37 UTC 2019


On Thu, Jan 31, 2019 at 10:05:58AM -0500, Frediano Ziglio wrote:
> > On Wed, Jan 30, 2019 at 04:05:27AM -0500, Frediano Ziglio wrote:
> > > > On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> > > > > It can happen that selinux-policy (targeted) is installed only after
> > > > > spice-streaming-agent (upon system installation). In that case
> > > > > running semanage in post scriptlet will fail.
> > > > > 
> > > > > In posttrans all packages are already installed, so it should be
> > > > > safe to call semanage at that point.
> > > > > 
> > > > > rhbz#1647789
> > > > > 
> > > > > Signed-off-by: Uri Lublin <uril at redhat.com>
> > > > > ---
> > > > > 
> > > > > In a first patch I wrote I also added a condition that
> > > > > checks if selinuxenabled. If people feel it's better
> > > > > I'll send a V2 with it.
> > > > > 
> > > > > ---
> > > > >  spice-streaming-agent.spec.in | 6 ++++--
> > > > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > > > 
> > > > > diff --git a/spice-streaming-agent.spec.in
> > > > > b/spice-streaming-agent.spec.in
> > > > > index 5a06e89..6b5ac22 100644
> > > > > --- a/spice-streaming-agent.spec.in
> > > > > +++ b/spice-streaming-agent.spec.in
> > > > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > > > >  BuildRequires:  pkgconfig(udev)
> > > > >  # we need /usr/sbin/semanage program which is available on different
> > > > >  # packages depending on distribution
> > > > > -Requires(post): /usr/sbin/semanage
> > > > > +Requires(posttrans): /usr/sbin/semanage
> > > > >  Requires(postun): /usr/sbin/semanage
> > > > >  
> > > > >  %description
> > > > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > > > then
> > > > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > > > >  fi
> > > > >  
> > > > > -%post
> > > > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > > > +%posttrans
> > > > >  semanage fcontext -a -t xserver_exec_t
> > > > >  %{_bindir}/spice-streaming-agent
> > > > >  2>/dev/null || :
> > > > >  restorecon %{_bindir}/spice-streaming-agent || :
> > > > 
> > > > I'm curious why these commands are present at all ? The normal way to
> > > > deal
> > > > with this would be to file a bug against the SELinux policy to explicitly
> > > > add the spice-streaming-agent binary to the default policy, so that RPM
> > > > will set the correct context at install time.
> > > 
> > > I think the main reasons are historic. We were not sure about the context
> > > and file name so we end up with manually setting it in the spec.
> > > What the advantages on setting on the global policies?
> > > I see the disadvantage to add the policies in all systems, even if they
> > > won't have these files and the burden of opening all tickets.
> > 
> > Adding to the SELinux policy ensures that security policy additions get
> > reviewed by the SELinux maintainers. It also ensures that he policy has
> > the right rules regardless of how the user installs the binary. Not every
> > distro that uses SELinux uses RPMs, or the RPM spec bundled here. It
> > would also have avoided the bug you hit here with the race condition.
> > 
> 
> How is possible to open such a bug?
> Which project?

Normally it would be a bug against 'selinux-policy' component, either in
a Fedora, or a RHEL product, or even both.

> Do you have an example?

https://bugzilla.redhat.com/show_bug.cgi?id=488232
https://bugzilla.redhat.com/show_bug.cgi?id=1311606

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


More information about the Spice-devel mailing list