As part of https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin, programs
are moved from /usr/sbin/alternatives to /usr/bin/alternatives. Provisions
have been made to create a compat symlink on traditional systems, so that both
paths work and packages that use paths under /usr/sbin do not need to be
rebuilt. Unfortunately, on ostree systems, the compat symlinks are missing, so
using absolute paths causes problems
(https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8).
There is no reason for or benefit from specifying the full path to binaries in
scriptlets because the scriptlets are called with a well-defined $PATH. When
we drop the full path, they work fine no matter where exactly the binary is
installed.
An additional problem with full paths is that they are specified using macros,
and the macro works fine within a package, but they is no guarantee that
different builds of different packages at different times use the same
definition of %_sbindir.
I also changed /bin/echo → echo. The shell builtin is good enough, we don't need
to spawn a separate process.
Related: RHEL-54303
The commands should always end || : , because by policy we should
ensure RPM scriptlets always exit 0:
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
Also, rm is in _bindir, not _sbindir.
This seems to have caused a failed test for an nbdkit update:
https://openqa.fedoraproject.org/tests/2628713#
the live image build failed because of a scriptlet error that
seems to be caused by this:
INFO:anaconda.modules.payloads.payload.dnf.transaction_progress:Configuring (running scriptlet for): nbdkit-selinux-1.39.6-1.fc41.noarch 1715870254 02561380439e4e22473970fa46db331b277dc254650fdcb96130a056cadaf02f
INFO:dnf.rpm:/var/tmp/rpm-tmp.ycmrWv: line 10: /usr/sbin/rm: No such file or directory
warning: %post(nbdkit-selinux-1.39.6-1.fc41.noarch) scriptlet failed, exit status 1
ERROR:dnf.rpm:Error in POSTIN scriptlet in rpm package nbdkit-selinux
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
rpm macros when selinux subpackages are being built
Remove git from BuildRequires in %selinux_requires
In %selinux_requires macro, as part of BuildRequires is also git
package. It looks like some leftover and this commit removes it.
Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros
There's no unified practice how to install SELinux modules from packages
and how to relabel a filesystem after the change. This update provides
several new macros which should help maintainers with the process.
%selinux_relabel_pre [-s <policytype>]
- backups the current file_contexts for later use with fixfiles
%selinux_relabel_post [-s <policytype>]
- relabels a filesystem based on changes in file_contexts using fixfiles
%selinux_modules_install [-s <policytype>] module [module]...
%selinux_modules_uninstall [-s <policytype>] module [module]...
- install and uninstall modules to the priority 200