Bug 120476

Summary: Wrong guard in %post scriptlet for policy-sources-1.10.1-4
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: leonard-rh-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: triage|leonardjo|closed|rawhide
Fixed In Version: 1.11.2-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-10 18:03:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Michal Jaegermann 2004-04-09 05:10:30 UTC
Description of problem:

The script in question looks like follows:

if [ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]; then
	make -C /etc/security/selinux/src/policy > /dev/null 2>&1 
	make -C /etc/security/selinux/src/policy load

The problem is that the guard expression always evaluates to true.
See, for example:

[ -x /bin/false -a /bin/false ] && echo ok || echo no

Yes, I was also surprised and I am not sure how /bin/sh is parsing
that and if that is correct.  OTOH

[ -x /bin/false ] && /bin/false && echo ok || echo no

prints expected and

if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then ..

guard would work.  In the current situation installing policy-sources
while selinux is disabled results in:

cat: /selinux/policyvers: No such file or directory
Can't open '/etc/security/selinux/policy.':  No such file or directory
make: *** [tmp/load] Error 2
make: Leaving directory `/etc/security/selinux/src/policy'
error: %post(policy-sources-1.10.1-4) scriptlet failed, exit status 2

Version-Release number of selected component (if applicable):

Comment 1 Michal Jaegermann 2004-04-09 05:18:32 UTC
Oops!  A component correction.

Comment 2 Daniel Walsh 2004-04-09 12:54:19 UTC
Fixed in 1.10.2-3


Comment 3 Michal Jaegermann 2004-04-10 04:26:02 UTC
Hopefuly you are right.  The latest package which I can get so
far is policy-1.10.2-1.  But I figured it out. A test
"[ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]" really
means /usr/bin/selinuxenabled has an executable flag set AND
"/usr/bin/selinuxenabled" string is non-empty.  Well ...

There is still a need for the whole thing to look like that

if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then
    # action here
exit 0

Without 'exit 0' an rpm installation will report errors if
the test is not satisfied.  The same 'exit 0', or equivalent like ':',
is missing in scriptlets for 'policy' package.

Comment 4 Daniel Walsh 2004-04-10 11:38:00 UTC
Ok added your fixes in policy-1.10.2-5


Comment 5 Michal Jaegermann 2004-04-14 19:49:27 UTC
After thinking about these a bit more I believe now that the %post
script in question should really look somewhat like that:

if [ -x /usr/bin/selinuxenabled ]; then 
   make -W /etc/security/selinux/src/policy/users \
        -C /etc/security/selinux/src/policy > /dev/null 2>&1
   /usr/bin/selinuxenabled && \
      make -C /etc/security/selinux/src/policy load 
exit 0

so 'policy.conf' will be generated when selinux support is
installed but not necessarily active in the moment.  Comments?

Comment 6 Daniel Walsh 2004-04-14 21:48:59 UTC
I think this will work?  My only concern is whether checkpolicy will
work in an non SELinux environment?  


Comment 7 Michal Jaegermann 2004-04-15 01:55:26 UTC
> My only concern is whether checkpolicy will work ...
If you mean a worry if policy.conf will be properly created if
SELinux support is installed but SELinux is not active (selinux=0)
then I tried that and it looks to me fine.  If SELinux is something
totally absent while things like /usr/bin/selinuxenabled still
installed then it seems that you are not worse of then now;
but I may be missing something.

Comment 8 Daniel Walsh 2004-04-15 02:06:24 UTC
Ok I added your changes.  They are out on people in policy-1.11.2-5
and will be in tomorrows build.  Nice job.

Thanks a lot.