Commit Graph

17 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
bbd4056045 Call binaries without full path
As part of https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin, programs
are moved from /usr/sbin/alternatives to /usr/bin/alternatives. Provisions
have been made to create a compat symlink on traditional systems, so that both
paths work and packages that use paths under /usr/sbin do not need to be
rebuilt. Unfortunately, on ostree systems, the compat symlinks are missing, so
using absolute paths causes problems
(https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8).

There is no reason for or benefit from specifying the full path to binaries in
scriptlets because the scriptlets are called with a well-defined $PATH. When
we drop the full path, they work fine no matter where exactly the binary is
installed.

An additional problem with full paths is that they are specified using macros,
and the macro works fine within a package, but they is no guarantee that
different builds of different packages at different times use the same
definition of %_sbindir.

I also changed /bin/echo → echo. The shell builtin is good enough, we don't need
to spawn a separate process.

Related: RHEL-54303
2024-11-14 17:14:03 +01:00
Zdenek Pytela
fd660a4dde Correct some errors in the RPM macro changes from -2
The commands should always end || : , because by policy we should
ensure RPM scriptlets always exit 0:
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
Also, rm is in _bindir, not _sbindir.

This seems to have caused a failed test for an nbdkit update:
https://openqa.fedoraproject.org/tests/2628713#
the live image build failed because of a scriptlet error that
seems to be caused by this:

INFO:anaconda.modules.payloads.payload.dnf.transaction_progress:Configuring (running scriptlet for): nbdkit-selinux-1.39.6-1.fc41.noarch 1715870254 02561380439e4e22473970fa46db331b277dc254650fdcb96130a056cadaf02f
INFO:dnf.rpm:/var/tmp/rpm-tmp.ycmrWv: line 10: /usr/sbin/rm: No such file or directory
warning: %post(nbdkit-selinux-1.39.6-1.fc41.noarch) scriptlet failed, exit status 1
ERROR:dnf.rpm:Error in POSTIN scriptlet in rpm package nbdkit-selinux

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2024-05-18 22:13:10 +00:00
Zdenek Pytela
befd3d6c81 Update rpm configuration for the /var/run equivalency change
Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
  rpm macros when selinux subpackages are being built
2024-05-18 22:13:10 +00:00
Lukas Vrabec
72c4289c25
Update rpm.macros file fomr the upstream repo
Remove git from BuildRequires in %selinux_requires
In %selinux_requires macro, as part of BuildRequires is also git
package. It looks like some leftover and this commit removes it.

Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros
2019-11-05 17:50:20 +01:00
Lukas Vrabec
5e3b0e1f2a
Update selinux-policy macros from upstream repo
Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723940
2019-11-03 15:00:33 +01:00
Lukas Vrabec
0c284fe6fc
Update the macros based on changes from upstream repo
Ref: b2f1034f76

Resolves: #16
2019-11-01 17:25:21 +01:00
Lukas Vrabec
6e1369286b
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29
- Allow dlm_controld_t domain setgid capability
- Fix SELinux modules not installing in chroots.
Resolves: rhbz#1665643
2019-08-07 17:38:17 +02:00
Lukas Vrabec
1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 18:29:10 +01:00
Lukas Vrabec
146094f7a3
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-7
- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
2018-10-13 00:13:10 +02:00
Lukas Vrabec
5c972253e7
Update selinux policy macros to reflect the latest changes in
selinux-policy-macros repo
2018-04-25 21:48:43 +02:00
Lukas Vrabec
4caea74068 Updated rpm.macros 2018-02-05 17:01:34 +01:00
Lukas Vrabec
723bc03d9a Add new rpm macro %{selinux_requires} 2017-11-23 15:48:40 +01:00
Lukas Vrabec
21c53d34a6 Use %{_sbindir} macro instead of full path 2017-09-14 09:02:59 +02:00
Lukas Vrabec
37cf7d764b Backport new selinux-policy rpm macros from github repo:
https://github.com/fedora-selinux/selinux-policy-macros.git

Main point of this change is to allow set SELinux Module priority in
selinux_modules_(u)install() macros.
2017-07-11 17:56:49 +02:00
Lukas Vrabec
29c9d82cda Update rpm macros 2017-03-14 10:48:34 +01:00
Lukas Vrabec
6fa7bc6ada Add handling booleans via selinux-policy macros in custom policy spec files. 2017-03-13 16:27:05 +01:00
Petr Lautrbach
c49229e77f Provide rpm macros for packages installing SELinux modules
There's no unified practice how to install SELinux modules from packages
and how to relabel a filesystem after the change. This update provides
several new macros which should help maintainers with the process.

%selinux_relabel_pre [-s <policytype>]
- backups the current file_contexts for later use with fixfiles

%selinux_relabel_post [-s <policytype>]
- relabels a filesystem based on changes in file_contexts using fixfiles

%selinux_modules_install [-s <policytype>] module [module]...
%selinux_modules_uninstall [-s <policytype>] module [module]...
- install and uninstall modules to the priority 200
2016-09-20 09:40:52 +02:00