... well, at leats on the SPECfile side. They are still being ignored in the macros themselves
$ rpm -E %selinux_modules_install
|
| if [ -e /etc/selinux/config ]; then
| . /etc/selinux/config
| fi
| _policytype=
| if [ -z "${_policytype}" ]; then
| _policytype="targeted"
| fi
| if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
| /usr/sbin/semodule -n -s ${_policytype} -X 200 -i || :
| /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
| fi
$ rpm -E %selinux_modules_uninstall
|
| if [ -e /etc/selinux/config ]; then
| . /etc/selinux/config
| fi
| _policytype=
| if [ -z "${_policytype}" ]; then
| _policytype="targeted"
| fi
| if [ $1 -eq 0 ]; then
| if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
| /usr/sbin/semodule -n -X 200 -s ${_policytype} -r &> /dev/null || :
| /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
| fi
| fi
Defined here:
https://src.fedoraproject.org/rpms/selinux-policy/blob/rawhide/f/rpm.macros#_48
The reason is described here: https://bugzilla.redhat.com/show_bug.cgi?id=1665643
TL;DR: The return values of any scriptlet in Fedora MUST be zero.
No matter how the errors in the scriptlets are handled.
For now, the "handled" means "ignored" in the case of SELinux scriplet macros.
In the previous commit, the line:
both the line
| Requires(post): policycoreutils
and
is removed, since it is already contained in the macro
| %{?selinux_requires}
on line after them.
$ rpm -E %{?selinux_requires}
|
| Requires: selinux-policy >= 37.22-1.fc37
| BuildRequires: pkgconfig(systemd)
| BuildRequires: selinux-policy
| BuildRequires: selinux-policy-devel
| Requires(post): selinux-policy-base >= 37.22-1.fc37
| Requires(post): libselinux-utils
| Requires(post): policycoreutils
| %if 037 || 0 > 7
| Requires(post): policycoreutils-python-utils
| %else
| Requires(post): policycoreutils-python
| %endif
Defined here:
https://src.fedoraproject.org/rpms/selinux-policy/blob/rawhide/f/rpm.macros#_32
However this can't be applied to the line:
| BuildRequires: selinux-policy-devel
Since the it is a recursive problem - the BuildRequires has to be already evaluated
for a package containing the macro %{?selinux_requires} to be brought in.
So the additional BuildRequires that macro brings has no effect as the evaluation
of this kind of symbols has already finished.
That's why in the examples as:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Example_spec_file_changes_to_incorporate_-selinux_subpackage
is the lines
| BuildRequires: selinux-policy-devel
| %{?selinux_requires}
Next to each other.
Even though the first line would seem redundant, it in fact isn´t.
In this commit, I've changed ordering of the lines to group up same symbols together as they logically go one after another.
I believe that having all BuildRequires grouped together is easier to read and understand.
Added context for "*mariadb*" named executables
---
Since MariaDB 10.4, the upstream added "*mariadb*" named symlinks for "*mysql*" named executables.
https://jira.mariadb.org/browse/MDEV-17591
Since MariaDB 10.5, the upstream switched them, so the executables are now "*mariadb*" named and the symlinks are "*mysql*" named.
https://jira.mariadb.org/browse/MDEV-21303
Without these SELinux rules, the new "*mariadb*" files haven't got a correct context.
Troy Dawson
Fedora Release Engineering
Packit
Michal Schorm
Vit Mojzis
Adam Dobes
Lukas Javorsky
Tom Stellard
Kevin Fenzi
Jakub Janco