| Summary: | policycoreutils: seunshare should be split to separate subpackage | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Hoger <thoger> |
| Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 679789 | Environment: | |
| Last Closed: | 2011-03-08 16:56:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Tomas Hoger
2011-03-07 17:01:31 UTC
Bug #679798 affects Rawhide too. (In reply to comment #0) > The current way various sandbox components are split across subpackages may > make this somewhat tricky: > - seunshare - policycoreutils > - sandbox - policycoreutils-python > - sandboxX - policycoreutils-sandbox If we had no released packages, I'd consider using -sandbox for sandbox and seunshare, and -sandbox-x (or similar) for sandboxX. Taking current package split into account, I suggest -sandbox-core (or -sandbox-base) with sandbox and seunshare. -sandbox will be left for sandboxX, just with an extra Require: -sandbox-core. In F15 we have the following. rpm -qf /usr/sbin/seunshare policycoreutils-sandbox-2.0.85-14.fc15.x86_64 I see no reason not to do this. sandbox -X requires seunshare, sandbox Does not. So we can leave sandbox in policycoreutils-python Oh, I see, sorry. It should be ok to leave sandbox in -python, if we don't need to make -python require -sandbox. I'm personally less concerned about (non-X) sandbox + seunshare require all the dependencies of sandboxX, it sounds fair to not do extra split unless there's explicit request to do so to avoid extra requires. Feel free to close this if you prefer to not to do this change in released Fedora. Also assuming /etc/{init.d,sysconfig}/sandbox are expected to stay where they are currently. I'm not entirely sure what is the purpose of that script, as sandbox + seunshare seems to work fine on system that does not have that service enabled.
It is needed by xguest and any other uses of pam_namespace. I have an open bug on pam_namespace to implement the same fix we have added to seunshare. In order to make namespacing work you have to set the file system as private. So you need a file system for this. If ~dwalsh is on the main file system you do not want to do this. But the hack you can do is to bind mount ~dwalsh on ~dwalsh Then set the bind mount private. Now you can namespace. If you look at the sandbox init script, it is doing this for /tmp and $HOME. If you look at the seunshare code, it is also doing the bindmount/make private calls. If pam_namespace did this, we could eliminate the sandbox init script all together. I need a bugzilla like this to get policycoreutils update into RHEL6 though. (In reply to comment #7) > I need a bugzilla like this to get policycoreutils update into RHEL6 though. Original bug #679789 is for RHEL-6. |