Bug 195666
| Summary: | Review Request: mod_fcgid | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Howarth <paul> |
| Component: | Package Review | Assignee: | Michael Fleming <mfleming+rpm> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | felix.schwarz, wart |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-09-06 14:25:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 163779 | ||
|
Description
Paul Howarth
2006-06-16 14:08:22 UTC
NEEDSWORK (but not much)
Review for release 8.fc5:
* RPM name is OK
* Source mod_fcgid.1.09.tar.gz is the same as upstream
* Works OK (some of my scripts aren't ready for it though. :-))
* Builds OK in mock (Core 5, i386 and x86_64)
Needs work:
* Spec file: some paths are not replaced with RPM macros
(wiki: QAChecklist item 7)
Note from me: Your spec uses a lot of %{_rm} style expansions (rather
than plain ol' whatever-"rm"-is-in-$PATH) so this may confuse rpmlint
et. al. I personally don't have an issue with it as long as it's
readable and consistent.
* The BuildRoot must be cleaned at the beginning of %install
Notes:
* I got the following barf to console when removing the package via
rpm -e (FC5, up-to-date targeted policy)
[root@pong mfleming]# rpm -e mod_fcgid
/usr/sbin/semodule: SELinux policy is not managed or store cannot be
accessed.
/usr/sbin/semodule: SELinux policy is not managed or store cannot be
accessed.
libsepol.sepol_genbools_array: boolean
allow_httpd_fastcgi_script_anon_write no longer in policy
I do like having the policy there, mind you. I should probably do something
similar for mlmmj (which can be tricky with targeted policy out of the box)
* Would it be possible/useful to scrape the upstream documentation,
primarily for the extra directives info?
(In reply to comment #1) > NEEDSWORK (but not much) > > Review for release 8.fc5: > * RPM name is OK > * Source mod_fcgid.1.09.tar.gz is the same as upstream > * Works OK (some of my scripts aren't ready for it though. :-)) > * Builds OK in mock (Core 5, i386 and x86_64) > > Needs work: > * Spec file: some paths are not replaced with RPM macros > (wiki: QAChecklist item 7) I think I've got this right; paths where this package installs things to are replaced by macros, whereas paths referring to files owned by different packages (e.g. selinux-policy) are hardcoded. This allows the person building the package to put things in different places by changing the macro definitions, which wouldn't work if directory macros were used for files owned by other packages. > Note from me: Your spec uses a lot of %{_rm} style expansions (rather > than plain ol' whatever-"rm"-is-in-$PATH) so this may confuse rpmlint > et. al. I personally don't have an issue with it as long as it's > readable and consistent. Good, as that's my preferred style that I use in all of my packages. rpmlint has no problems expanding the macros. > * The BuildRoot must be cleaned at the beginning of %install It is: %install %{__rm} -rf %{buildroot} > Notes: > * I got the following barf to console when removing the package via > rpm -e (FC5, up-to-date targeted policy) > > [root@pong mfleming]# rpm -e mod_fcgid > /usr/sbin/semodule: SELinux policy is not managed or store cannot be > accessed. > /usr/sbin/semodule: SELinux policy is not managed or store cannot be > accessed. > libsepol.sepol_genbools_array: boolean > allow_httpd_fastcgi_script_anon_write no longer in policy I missed discarding the output of semodule in %postun; I'll fix that. > I do like having the policy there, mind you. I should probably do something > similar for mlmmj (which can be tricky with targeted policy out of the box) If you need any help with that, you'll get good advice over on fedora-selinux-list. > * Would it be possible/useful to scrape the upstream documentation, > primarily for the extra directives info? I've now included a copy of the "configuration" and "documentation" pages from the upstream website. Updated packages (1.09-9) available here: http://www.city-fan.org/~paul/extras/mod_fcgid/ Package updated to -10: http://www.city-fan.org/~paul/extras/mod_fcgid/ I updated the SELinux policy module to allow httpd to read httpd_fastcgi_content_t content without having to set the httpd_builtin_scripting boolean. A new upstream version (1.10) has been released. I have also updated the SELinux policy to allow httpd_fastcgi_script_t to read /etc/resolv.conf without having the httpd_can_network_connect boolean set. Packages (1.10-1) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ I have updated the SELinux policy again to allow FastCGI apps to do DNS lookups. Packages (1.10-2) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ Sorry about the time taken to knock this one over, been ill or busy or both. - All the items I'd previously pointed out are well and truly fixed - The SELinux module is EXTREMELY cool and much appreciated, a fair bit of consideration has gone into it. Anything that encourages people to better consider system security (in a sane and non-onerous manner) is a Good Thing. Two thumbs up, APPROVED. Bug appears to have been closed by mistake. I have some tweaks I need to make here, as the selinux-policy package has been split into selinux-policy and selinux-policy-devel in rawhide. I'll upload a version that builds on rawhide shortly. Update to package so that it builds in rawhide, where the /etc/httpd/build symlink has gone, and selinux-policy-devel is required. Packages (1.10-3) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ Could you just give this new package a try and re-approve, since this is what I'd be importing into CVS? As a ametter of interest, which application(s) have you tried this with? Update to package, moving SELinux policy modules from /usr/share/selinux/packages/POLICYNAME to /usr/share/selinux/POLICYNAME now that the Core selinux-policy (in rawhide, should be updated in FC5 with the next update) no longer automatically tries to link all modules in this directory, and includes the correct directory ownership. This package version also hardlinks the policy module packages together if they're identical, thius avoiding duplicate files. Packages (1.10-4) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ Another update. I've split the SELinux policy module off into a subpackage. This has the benefit for people not using SELinux that the main package has no dependency on selinux-policy, and installation time is reduced as there are no scriptlets to run. Packages (1.10-5) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ Another update. The recent FC5 selinux-policy package update has split out a separate selinux-policy-devel package, as per FC6. So the buildreqs are now the same for FC5 and FC6 onwards. Packages (1.10-6) available in usual place: http://www.city-fan.org/~paul/extras/mod_fcgid/ Given that this package was approved (Comment #6) earlier, I shall now import and build it. 16330 (mod_fcgid): Build on target fedora-development-extras succeeded.
Build logs may be found at
http://buildsys.fedoraproject.org/logs/fedora-development-extras/16330-mod_fcgid-1.10-7.fc6/
owners.list updated, FE6 comps entry added, FE-5 branch request made
|