Bug 193157
| Summary: | Review Request: system-config-selinux | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
| Component: | Package Review | Assignee: | David Cantrell <dcantrell> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dennis, fedora-package-review, mishu, notting |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-12-15 17:00:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 163779 | ||
|
Description
Daniel Walsh
2006-05-25 18:11:57 UTC
Needswork: - Hardset Requires, can't you just let rpm figure that out in the build, it almost always gets it right. - #Replace the files line with the one commented out when translations are done %files #%files The two lines are the same.... - desktop file present but not installed correctly. Check out http://fedoraproject.org/wiki/Packaging/Guidelines#desktop for the desktop stuff. rpmlint is silent on the srpm and the noarch.rpm, so thats good. Would it not be possible for Red Hat-internal projects like this to have their own mini-homepage so that URL: tags of http://www.redhat.com/ and Source0: tags that aren't full URLs could be avoided? Perhaps the spec file template could be updated to use the more modern "make DESTDIR=${RPM_BUILD_ROOT}" style instead of "%makeinstall"? /usr/share/system-config-selinux/semanagegui.py and /usr/share/system-config-selinux/system-config-selinux.py have shellbangs: #!/usr/bin/python2 which lead to bogus dependencies on /usr/bin/python2, which make the package uninstallable. Since at least the latter needs to be directly executable, it should have a shellbang pointing to /usr/bin/python It would be nice if the .pyo files were %ghosted, as is the usual practice these days. "manageing" in %description should be "managing" Regarding Comment #1, which Hardset Requires are you referring to? I can only see the usermode dep, and that's needed. (In reply to comment #2) > /usr/share/system-config-selinux/semanagegui.py > and > /usr/share/system-config-selinux/system-config-selinux.py > > have shellbangs: > #!/usr/bin/python2 > > which lead to bogus dependencies on /usr/bin/python2, which make the package > uninstallable. Since at least the latter needs to be directly executable, it > should have a shellbang pointing to /usr/bin/python Please forget I said this nonsense! Whoops. One would wager that rpm macros need to be updated for %makeinstall if it is not 'modern' enough. The previous spec had: Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas Requires: policycoreutils Requires: rhpl >= 0.148.2 usermode Requires: python >= 2.3 These have been removed, but the version wasn't updated, nor was made mention that this change had happened. The other NEEDSWORK are still needed. (In reply to comment #4) > One would wager that rpm macros need to be updated for %makeinstall if it is not > 'modern' enough. Not sure that's good idea. Most packages will work with either approach, but some will depend on the way one or the other works, and will fail with the alternative approach. > The previous spec had: > > Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas > Requires: policycoreutils > Requires: rhpl >= 0.148.2 usermode > Requires: python >= 2.3 I wonder if it was a good idea to remove these since none of these deps (even the python(abi) = 2.4 dep that I'd expect) have been found automatically by rpm. > These have been removed, but the version wasn't updated, nor was made mention > that this change had happened. Hmm, not good. Please update the release tag whenever a change is made to the package, so it's easy to tell which comments refer to which version of the package. Should the python code be #!/usr/bin/python Looks like our rpm autodetection of deps doesn't work on python scripts. Sorry for the noise Dan, you should put those deps back. /me wonders if anybody is working on making rpm autodetect python deps. /usr/bin/python2 would work, it ensures you're using at least python 2.x Back to the future. Updated to 0.0.3 Spec URL: ftp://people.redhat.com/dwalsh/SELinux/system-config-selinux.spec SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/system-config-selinux-0.0.3-1.src.rpm Description: system-config-selinux is a gui front end to the semanage tool. This tool allows you to configure all parts of the SELinux environment. Almost there (; Now we're just missing a BuildRequires: on desktop-file-utils (and a changelog to match the evr) Trying to run
system-config-selinux-0.0.3-1
# system-config-selinux
Traceback (most recent call last):
File "/usr/sbin/system-config-selinux", line 36, in ?
import fcontextPage
File "/usr/share/system-config-selinux/fcontextPage.py", line 26, in ?
from avc import context
ImportError: No module named avc
looks like a missing requires
(In reply to comment #10) > Trying to run > system-config-selinux-0.0.3-1 > > # system-config-selinux > Traceback (most recent call last): > File "/usr/sbin/system-config-selinux", line 36, in ? > import fcontextPage > File "/usr/share/system-config-selinux/fcontextPage.py", line 26, in ? > from avc import context > ImportError: No module named avc > > looks like a missing requires I think policycoreutils should provide that. Where do we stand on this Dan? Updated to 0.0.4 Spec URL: ftp://people.redhat.com/dwalsh/SELinux/system-config-selinux.spec SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/system-config-selinux-0.0.4-1.src.rpm Description: system-config-selinux is a gui front end to the semanage tool. This tool allows you to configure all parts of the SELinux environment. Add missing BuildRequires: desktop-file-utils and I think we're good. I'll pre-approve. Now you just need Nottings' signoff for being in Core, and then I need to know if this needs changes in Comps and/or anaconda. Random comments (outside of any signoff): - the logging button doesn't work - dies pretty horribly in a non-SELinux environment - could probably use some GTK love (tab spacing, selector width, etch) - python(abi) deps come from files in /usr/lib/python<ver>; otherwise, you don't get them I don't really have any objections to this being in Core. I wonder if in the future moving to some more task-specific options, rather than a raw listing of booleans, might be better. Manage->Policy looks pretty scary to anyone who doesn't have any deep knowledge of policy. Thinking more about this... do we have some designer feedback on this? What specifically are we trying to solve? I'm not sure 'wrap sesetbool' is the goal we should be shooting for. To your first Messsage: - the logging button doesn't work Yes these are features I was hoping for upstream to help - dies pretty horribly in a non-SELinux environment That Needs to be fixed. - could probably use some GTK love (tab spacing, selector width, etch) Yes. Again hoping for patches from upstream. - python(abi) deps come from files in /usr/lib/python<ver>; otherwise, you don't get them How do I change this. This tool was basically thrown together as GUI to do semanage functionality, so it is pretty primitive. Problem is I never work on it, since It is near the bottom of the priority list. I feel if I make it public, I might get some opensource ideas/code/patches on how to fix it. The first screen, is basically stopen from system-config-securitylevel/SELinux tab. The original idea was to get human translatable descriptions of the booleans to allow Adminst to find logical booleans. We are building new tools to react to AVC messages and suggest booleans to be set. So if you setup your ftp server to allow local logins, but do not turn on the appropriate SELinux booleans. We will catch the first AVC message and send a message to the user suggesting that they turn the boolean on. Dan Hm, I suspect this may be better for extras in the short term, then. Instead of saying "you should turn on this boolean", wny not go the next step and just have a "Shoud we allow this [ ] No [ ] Allow local ftp logins" box, and sidestep the tool initially? ------- Additional Comments From jkeating 2006-06-11 10:35 EST ------- Since Bill thinks this is for Extras, I'll re-block on FE-ACCEPT since it passed review. Dan, do you currently have sponsership within Extras yet? ------- Additional Comments From dwalsh 2006-06-12 08:01 EST ------- No, How do I go about getting it? http://fedoraproject.org/wiki/Extras/Contributors <-- follow through there. Dan is now a sponsored Extras contributor. Please close this bug when you've released system-config-selinux into Extras. ping on this This should be removed, since rather than make this a new package, I added it to policycoreutils. policycoreutils-gui to be precise. It was using all of the underlying python code for semanage, and getting translations to work was going to be a hassle. |