My F31 kickstart install is failing with: DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux
This is because flapak-selinux installs a SELinux module in %post:
%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
which sources /etc/selinux/config. It is failing because /etc/selinux/config
does not exist and /bin/sh exits with failure (/bin/bash does not
interestingly enough).
This was reported earlier here:
https://bugzilla.redhat.com/show_bug.cgi?id=1723118
and the suggestion made to add:
Requires(post): selinux-policy
since selinux-policy owns /etc/selinux/config. However, selinux-policy
creates /etc/selinux/config in its own %post, and Requires(post) only
guarantees that the package's contents are installed, not that its scripts are
complete.
So, what's the best way to fix this? We need /etc/selinux/policy to be
present and populated with SELINUXTYPE=targeted for the selinux policy modules
to be installed properly.
selinux-policy does:
%post
if [ ! -s /etc/selinux/config ]; then
#
# New install so we will default to targeted policy
#
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are
protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
" > /etc/selinux/config
ln -sf ../selinux/config /etc/sysconfig/selinux
restorecon /etc/selinux/config 2> /dev/null || :
else
. /etc/selinux/config
fi
exit 0
But can't this be achieved simply with:
%config(noreplace) %{_sysconfdir}/selinux/config
New installs would get the default config, but otherwise you would get a
.rpmnew file.
However, I realize that nothing is particularly simple about SELinux so there
are probably things I'm not aware of that prevent this.
PS - the else code seems to be a no-op.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
