Bug 214605

Summary: Add some SE Linux specific checks
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: rpmlintAssignee: Ville Skyttä <scop>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: extras-qa
Target Milestone: ---Keywords: MoveUpstream, Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.79-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-02 16:07:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch addressing the issues listed above none

Description Steve Grubb 2006-11-08 16:49:02 UTC 
Description of problem:
rpmlint does not know about some SE Linux related problems that could exist in
scriptlets. For example, using chcon and runcon requires knowing a policy type -
which could change on a policy upgrade and completely break the scriptlet. I
will attach a patch that detects encoded policy knowledge in scriplets.

Version-Release number of selected component (if applicable):
rpmlint-0.78
Comment 1 Steve Grubb 2006-11-08 16:49:02 UTC 
Created attachment 140668 [details]
Patch addressing the issues listed above
Comment 2 Ville Skyttä 2006-11-08 18:37:32 UTC 
Thanks.  Could you submit a message that would be displayed when rpmlint is run
with -i/-I?  Ideally, the message should describe what's wrong and what to do
about it.  I'm thinking about something like this, but I'm not knowledgeable
enough about SELinux to write the "what to do about it" part:

  A command which may require intimate knowledge about specific SELinux
  policy types which are subject to change in future policies was found
  in the scriptlet. [Fill here what the packager should do about it.]
Comment 3 Steve Grubb 2006-11-08 18:49:00 UTC 
Sure, here's the text slightly modified from above:

  A command which requires intimate knowledge about a specific SELinux
  policy type was found in the scriptlet. These types are subject to change
  on a policy version upgrade. The packager should should use the restorecon 
  command which querries the currently loaded policy for the correct type.
Comment 4 Ville Skyttä 2006-11-08 19:33:09 UTC 
Applied upstream with further minor tweaks as
http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1293, will be in the next
rpmlint release.  Thanks!
Comment 5 Ville Skyttä 2007-02-02 16:07:45 UTC 
Done in upcoming 0.79-1.