Bug 185434

Summary: RFE: SELinux policy module support in RPM
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: rpmAssignee: Fedora Packaging Toolset Team <packaging-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: ffesti, ovasik, redhat-bugzilla, tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-12 11:56:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181563    

Description Daniel Walsh 2006-03-14 19:53:46 UTC
Description of problem:

We need support for rpm to install the policy module and updating the kernel
before placing files down on the system.  It then needs to trigger an update of
file context when complete.

Comment 1 Paul Nasrat 2006-03-14 19:57:30 UTC
Could you give more details of your requirements and expectations.

Comment 2 Daniel Walsh 2006-03-14 20:59:26 UTC
Yes I was just putting this as a place holder since I think we need to discuss
this in a meeting.  What I am envisioning right now, is something where the
specfile would indicate the policy files

%(policy) myapp.pp

And this file could be placed in some temporary location on the system and a
semodule -i /TMPLOCATION/myapp.pp 
would happen.  This would cause the policy to be rebuilt and reload and the
file_context file to be updated.  At this point the rpm would proceed to place
files on disk.

Two problems with this is that if several packages were providing policy, each
one would need to do the semodule thing and this would take a very long time. 
So it would be better if we could put them into some kind of transaction.  So
all policy files get updated first.  Then the RPMs get installed.

Finally as a post install step the file context difference program would be run
to fix any file contexts that had been altered.

Dan

Comment 3 Jeff Johnson 2006-03-15 15:07:53 UTC
Extracting myapp.pp from payload in order to do %pretrans is the fundamental design problem.
Adding myapp.pp to metadata bloatery, either through additional tag, or by inlining in %pretrans,
is the dirty and expedient hack. Anything else will require extensive changes, like splitting
into subtransactions, or reading the payload multiple times.

Comment 4 Red Hat Bugzilla 2007-08-21 05:22:30 UTC
User pnasrat's account has been closed

Comment 5 Panu Matilainen 2007-08-22 06:30:11 UTC
Reassigning to owner after bugzilla made a mess, sorry about the noise...

Comment 6 Jon Stanley 2008-04-23 20:28:43 UTC
Adding FutureFeature keyword to RFE's.

Comment 7 Fedora Admin XMLRPC Client 2012-04-13 23:12:07 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 8 Fedora Admin XMLRPC Client 2012-04-13 23:13:57 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Florian Festi 2015-06-12 11:56:29 UTC
Hmm, no news for 9 years...

There is a selinux plugin nowadays. I just assume that it does what is needed. Closing.