Bug 120476 - Wrong guard in %post scriptlet for policy-sources-1.10.1-4
Wrong guard in %post scriptlet for policy-sources-1.10.1-4
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
triage|leonardjo|closed|rawhide
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-09 01:10 EDT by Michal Jaegermann
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.11.2-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-10 14:03:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2004-04-09 01:10:30 EDT
Description of problem:

The script in question looks like follows:

if [ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]; then
	make -C /etc/security/selinux/src/policy > /dev/null 2>&1 
	make -C /etc/security/selinux/src/policy load
fi

The problem is that the guard expression always evaluates to true.
See, for example:

[ -x /bin/false -a /bin/false ] && echo ok || echo no

Yes, I was also surprised and I am not sure how /bin/sh is parsing
that and if that is correct.  OTOH

[ -x /bin/false ] && /bin/false && echo ok || echo no

prints expected and

if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then ..

guard would work.  In the current situation installing policy-sources
while selinux is disabled results in:

cat: /selinux/policyvers: No such file or directory
Can't open '/etc/security/selinux/policy.':  No such file or directory
make: *** [tmp/load] Error 2
make: Leaving directory `/etc/security/selinux/src/policy'
error: %post(policy-sources-1.10.1-4) scriptlet failed, exit status 2

Version-Release number of selected component (if applicable):
policy-sources-1.10.1-4
Comment 1 Michal Jaegermann 2004-04-09 01:18:32 EDT
Oops!  A component correction.
Comment 2 Daniel Walsh 2004-04-09 08:54:19 EDT
Fixed in 1.10.2-3

Dan
Comment 3 Michal Jaegermann 2004-04-10 00:26:02 EDT
Hopefuly you are right.  The latest package which I can get so
far is policy-1.10.2-1.  But I figured it out. A test
"[ -x /usr/bin/selinuxenabled -a /usr/bin/selinuxenabled ]" really
means /usr/bin/selinuxenabled has an executable flag set AND
"/usr/bin/selinuxenabled" string is non-empty.  Well ...

There is still a need for the whole thing to look like that

if [ -x /usr/bin/selinuxenabled ] && /usr/bin/selinuxenabled ; then
    # action here
fi
exit 0

Without 'exit 0' an rpm installation will report errors if
the test is not satisfied.  The same 'exit 0', or equivalent like ':',
is missing in scriptlets for 'policy' package.
Comment 4 Daniel Walsh 2004-04-10 07:38:00 EDT
Ok added your fixes in policy-1.10.2-5

Dan
Comment 5 Michal Jaegermann 2004-04-14 15:49:27 EDT
After thinking about these a bit more I believe now that the %post
script in question should really look somewhat like that:

if [ -x /usr/bin/selinuxenabled ]; then 
   make -W /etc/security/selinux/src/policy/users \
        -C /etc/security/selinux/src/policy > /dev/null 2>&1
   /usr/bin/selinuxenabled && \
      make -C /etc/security/selinux/src/policy load 
fi
exit 0

so 'policy.conf' will be generated when selinux support is
installed but not necessarily active in the moment.  Comments?
Comment 6 Daniel Walsh 2004-04-14 17:48:59 EDT
I think this will work?  My only concern is whether checkpolicy will
work in an non SELinux environment?  

Dan
Comment 7 Michal Jaegermann 2004-04-14 21:55:26 EDT
> My only concern is whether checkpolicy will work ...
If you mean a worry if policy.conf will be properly created if
SELinux support is installed but SELinux is not active (selinux=0)
then I tried that and it looks to me fine.  If SELinux is something
totally absent while things like /usr/bin/selinuxenabled still
installed then it seems that you are not worse of then now;
but I may be missing something.
Comment 8 Daniel Walsh 2004-04-14 22:06:24 EDT
Ok I added your changes.  They are out on people in policy-1.11.2-5
and will be in tomorrows build.  Nice job.

Thanks a lot.

Dan

Note You need to log in before you can comment on or make changes to this bug.