Description of problem: The script in question looks like follows: if [ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]; then make -C /etc/security/selinux/src/policy > /dev/null 2>&1 make -C /etc/security/selinux/src/policy load fi The problem is that the guard expression always evaluates to true. See, for example: [ -x /bin/false -a /bin/false ] && echo ok || echo no Yes, I was also surprised and I am not sure how /bin/sh is parsing that and if that is correct. OTOH [ -x /bin/false ] && /bin/false && echo ok || echo no prints expected and if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then .. guard would work. In the current situation installing policy-sources while selinux is disabled results in: cat: /selinux/policyvers: No such file or directory Can't open '/etc/security/selinux/policy.': No such file or directory make: *** [tmp/load] Error 2 make: Leaving directory `/etc/security/selinux/src/policy' error: %post(policy-sources-1.10.1-4) scriptlet failed, exit status 2 Version-Release number of selected component (if applicable): policy-sources-1.10.1-4
Oops! A component correction.
Fixed in 1.10.2-3 Dan
Hopefuly you are right. The latest package which I can get so far is policy-1.10.2-1. But I figured it out. A test "[ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]" really means /usr/bin/selinuxenabled has an executable flag set AND "/usr/bin/selinuxenabled" string is non-empty. Well ... There is still a need for the whole thing to look like that if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then # action here fi exit 0 Without 'exit 0' an rpm installation will report errors if the test is not satisfied. The same 'exit 0', or equivalent like ':', is missing in scriptlets for 'policy' package.
Ok added your fixes in policy-1.10.2-5 Dan
After thinking about these a bit more I believe now that the %post script in question should really look somewhat like that: if [ -x /usr/bin/selinuxenabled ]; then make -W /etc/security/selinux/src/policy/users \ -C /etc/security/selinux/src/policy > /dev/null 2>&1 /usr/bin/selinuxenabled && \ make -C /etc/security/selinux/src/policy load fi exit 0 so 'policy.conf' will be generated when selinux support is installed but not necessarily active in the moment. Comments?
I think this will work? My only concern is whether checkpolicy will work in an non SELinux environment? Dan
> My only concern is whether checkpolicy will work ... If you mean a worry if policy.conf will be properly created if SELinux support is installed but SELinux is not active (selinux=0) then I tried that and it looks to me fine. If SELinux is something totally absent while things like /usr/bin/selinuxenabled still installed then it seems that you are not worse of then now; but I may be missing something.
Ok I added your changes. They are out on people in policy-1.11.2-5 and will be in tomorrows build. Nice job. Thanks a lot. Dan