|Summary:||Wrong guard in %post scriptlet for policy-sources-1.10.1-4|
|Product:||[Fedora] Fedora||Reporter:||Michal Jaegermann <michal>|
|Component:||policy||Assignee:||Daniel Walsh <dwalsh>|
|Status:||CLOSED RAWHIDE||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||1.11.2-5||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2004-05-10 18:03:38 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Michal Jaegermann 2004-04-09 05:10:30 UTC
Description of problem: The script in question looks like follows: if [ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]; then make -C /etc/security/selinux/src/policy > /dev/null 2>&1 make -C /etc/security/selinux/src/policy load fi The problem is that the guard expression always evaluates to true. See, for example: [ -x /bin/false -a /bin/false ] && echo ok || echo no Yes, I was also surprised and I am not sure how /bin/sh is parsing that and if that is correct. OTOH [ -x /bin/false ] && /bin/false && echo ok || echo no prints expected and if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then .. guard would work. In the current situation installing policy-sources while selinux is disabled results in: cat: /selinux/policyvers: No such file or directory Can't open '/etc/security/selinux/policy.': No such file or directory make: *** [tmp/load] Error 2 make: Leaving directory `/etc/security/selinux/src/policy' error: %post(policy-sources-1.10.1-4) scriptlet failed, exit status 2 Version-Release number of selected component (if applicable): policy-sources-1.10.1-4
Comment 1 Michal Jaegermann 2004-04-09 05:18:32 UTC
Oops! A component correction.
Comment 2 Daniel Walsh 2004-04-09 12:54:19 UTC
Fixed in 1.10.2-3 Dan
Comment 3 Michal Jaegermann 2004-04-10 04:26:02 UTC
Hopefuly you are right. The latest package which I can get so far is policy-1.10.2-1. But I figured it out. A test "[ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]" really means /usr/bin/selinuxenabled has an executable flag set AND "/usr/bin/selinuxenabled" string is non-empty. Well ... There is still a need for the whole thing to look like that if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then # action here fi exit 0 Without 'exit 0' an rpm installation will report errors if the test is not satisfied. The same 'exit 0', or equivalent like ':', is missing in scriptlets for 'policy' package.
Comment 4 Daniel Walsh 2004-04-10 11:38:00 UTC
Ok added your fixes in policy-1.10.2-5 Dan
Comment 5 Michal Jaegermann 2004-04-14 19:49:27 UTC
After thinking about these a bit more I believe now that the %post script in question should really look somewhat like that: if [ -x /usr/bin/selinuxenabled ]; then make -W /etc/security/selinux/src/policy/users \ -C /etc/security/selinux/src/policy > /dev/null 2>&1 /usr/bin/selinuxenabled && \ make -C /etc/security/selinux/src/policy load fi exit 0 so 'policy.conf' will be generated when selinux support is installed but not necessarily active in the moment. Comments?
Comment 6 Daniel Walsh 2004-04-14 21:48:59 UTC
I think this will work? My only concern is whether checkpolicy will work in an non SELinux environment? Dan
Comment 7 Michal Jaegermann 2004-04-15 01:55:26 UTC
> My only concern is whether checkpolicy will work ... If you mean a worry if policy.conf will be properly created if SELinux support is installed but SELinux is not active (selinux=0) then I tried that and it looks to me fine. If SELinux is something totally absent while things like /usr/bin/selinuxenabled still installed then it seems that you are not worse of then now; but I may be missing something.
Comment 8 Daniel Walsh 2004-04-15 02:06:24 UTC
Ok I added your changes. They are out on people in policy-1.11.2-5 and will be in tomorrows build. Nice job. Thanks a lot. Dan