[opensuse-packaging] SELinux for dummies?
Packaging Allegro I found a SELinux related scriplet in the Fedora spec file (http://cvs.fedoraproject.org/viewvc/rpms/allegro/devel/allegro.spec?revision=1.54&view=markup). They use: %ifarch %{ix86} %post /sbin/ldconfig # Set SELinux file_context for vga plugin in the policy semanage fcontext -a -t textrel_shlib_t \ '%{_libdir}/allegro/4\.2\.2/alleg-vga\.so' 2>/dev/null || : # Actually change the context chcon -t textrel_shlib_t %{_libdir}/allegro/%{version}/alleg-vga.so \ 2> /dev/null || : %else %post -p /sbin/ldconfig %endif %ifarch %{ix86} %postun /sbin/ldconfig # SELinux support if [ $1 -eq 0 ]; then # final removal semanage fcontext -d -t textrel_shlib_t \ '%{_libdir}/allegro/4\.2\.2/alleg-vga\.so' 2>/dev/null || : fi %else %postun -p /sbin/ldconfig %endif And since I read that since 11.1 we support SELinux... and little more, one ask himself what should be done in openSUSE. Are packages needed to be modified for SELinux? Also, since the branching in RPM has been always been something of a mistery to me. How should I modify such a scriptlet to note that SELinux is only avalable since openSUSE 11.1? - %ifarch %{ix86} && %if ! 0%{?suse_version} < 1110 ? - %ifarch %{ix86} && ! 0%{?suse_version} < 1110 ? - ... ? Thanks. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Cristian Morales Vega escribió:
%ifarch %{ix86} %postun /sbin/ldconfig # SELinux support if [ $1 -eq 0 ]; then # final removal semanage fcontext -d -t textrel_shlib_t \ '%{_libdir}/allegro/4\.2\.2/alleg-vga\.so' 2>/dev/null || : fi %else %postun -p /sbin/ldconfig %endif
And since I read that since 11.1 we support SELinux... and little more, one ask himself what should be done in openSUSE. Are packages needed to be modified for SELinux?
heh, this is just one of the subtle issues to take care, to find what other packages in your system may need exactly the same scriptlet, do a #scanelf -lpqt in a 32 bit system.
Also, since the branching in RPM has been always been something of a mistery to me. How should I modify such a scriptlet to note that SELinux is only avalable since openSUSE 11.1?
It isnt going to work, distribution does not ship user space tools. Short story, it is always harder than you think, is not just dumping code or features and expecting them to work ;-) -- "If this is the best God can do, I am not impressed" -George Carlin (1937-2008) Cristian Rodríguez R. Software Developer Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
* Cristian Morales Vega (cmorve69@yahoo.es) [20090408 12:19]:
And since I read that since 11.1 we support SELinux... and little more, one ask himself what should be done in openSUSE. Are packages needed to be modified for SELinux?
There is only kernel support present plus patches to various packages to work in the presence of selinux. We do not ship any policies nor do are the userspace tools present. So just ignore such scripts as these won't work without a lot of work done by the user.
- %ifarch %{ix86} && %if ! 0%{?suse_version} < 1110 ? - %ifarch %{ix86} && ! 0%{?suse_version} < 1110 ?
I have no idea whether such chaining of conditions does work. I'd simply cascade them, i.e. %ifarch %{ix86} %if 0%{?suse_version} < 1110 Philipp -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
2009/4/8 Philipp Thomas
* Cristian Morales Vega (cmorve69@yahoo.es) [20090408 12:19]:
And since I read that since 11.1 we support SELinux... and little more, one ask himself what should be done in openSUSE. Are packages needed to be modified for SELinux?
There is only kernel support present plus patches to various packages to work in the presence of selinux. We do not ship any policies nor do are the userspace tools present. So just ignore such scripts as these won't work without a lot of work done by the user.
OK.
- %ifarch %{ix86} && %if ! 0%{?suse_version} < 1110 ? - %ifarch %{ix86} && ! 0%{?suse_version} < 1110 ?
I have no idea whether such chaining of conditions does work. I'd simply cascade them, i.e.
%ifarch %{ix86} %if 0%{?suse_version} < 1110
The problem is the "%else". If I change %ifarch %{ix86} A %else B %endif to %ifarch %{ix86} %if ! 0%{?suse_version} < 1110 A %else B %endif %endif in case "%ifarch %{ix86}" is false neither A nor B will not be used. And if i change it to %ifarch %{ix86} %if ! 0%{?suse_version} < 1110 A %endif %else B %endif in case "%ifarch %{ix86}" is true and "%if ! 0%{?suse_version} < 1110" is false also neither A nor B will not be used. So the only way to do such a thing without chaining conditions I see would be duplicating B. %ifarch %{ix86} %if ! 0%{?suse_version} < 1110 A %else B %endif %else B %endif -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
participants (3)
-
Cristian Morales Vega
-
Cristian Rodríguez
-
Philipp Thomas