Description of problem: The dnfdaemon package drags in many SELinux-related dependencies that are not otherwise needed on a system with SELinux disabled. They are only used to tweak the SELinux policy in %pre and %post, which has no effect whatsoever on such a system. Version-Release number of selected component (if applicable): dnfdaemon-0.3.16-2.fc26.noarch dnfdaemon-0.3.16-2.fc25.noarch dnfdaemon-0.3.16-1.fc24.noarch dnfdaemon-0.3.16-1.fc23.noarch How reproducible: Always Steps to Reproduce: 1. Take a minimal system with as much SELinux stuff as possible removed. 2. dnf install dnfdaemon Actual results: Installs all of: audit-libs-python3 checkpolicy dnfdaemon libcgroup libsemanage-python3 policycoreutils-python-utils policycoreutils-python3 python-IPy-python3 setools-libs Expected results: Installs only dnfdaemon. Additional info: This is all the more annoying because DNF won't let me remove the dependencies even after the package is installed, even though they are technically only used in %pre and %post. Some approaches how this could be addressed: * Could this maybe be handled the way gtk-update-icon-cache is, where the Requires(pre) and Requires(post) are deliberately omitted, just letting it fall to the "|| :" if gtk-update-icon-cache is not installed? If I don't have SELinux, the scriptlet will not do anything anyway. * Could the scriptlets be split into a -selinux subpackage? Maybe dragged in as a soft dependency (Recommends) that can be excluded? * Could the required tweaks just be upstreamed into selinux-policy so that the package doesn't have to hack around SELinux stuff at all?
(My system is not actually all that minimal at all, but it did have all the SELinux stuff I got away with removing removed.)
Two valid approaches for SELinux stuff in Fedora: * Creating a selinux subpackage that provides an SELinux module * Upstreaming the necessary fixes into selinux-policy In the former approach, the subpackage must be required by the main package (Fedora policy). This is the way to get it done quickly. The latter approach may take more time, and won't necessarily fix it for everyone, depending on whether selinux-policy changes are backported to all Fedora releases or not. The way that the SELinux support is done in here is not an acceptable path for Fedora. There is no approach, short term, that will fix your problem, Kevin.
> In the former approach, the subpackage must be required by the main package > (Fedora policy). Why would a Recommends not be enough?
To elaborate on this, if you use Requires to drag in the -selinux subpackage, you may as well not make a subpackage, it does not buy us anything. If you use Recommends, on the other hand, it allows people to opt out. Another approach (probably even better) would be to use boolean dependencies (conditional on selinux-policy), but they are not currently allowed in Requires and Recommends due to technical limitations (https://fedoraproject.org/wiki/Packaging:Guidelines#Rich.2FBoolean_dependencies), so you would have to do the reverse: %package selinux # note and, not if: http://rpm.org/user_doc/boolean_dependencies.html#cautionary-tale-about-if Supplements: (dnfdaemon and selinux-policy) Requires(pre): policycoreutils-python-utils Requires(post): policycoreutils-python-utils
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
If you propose a dist-git patch with the subpackage thing, I'd apply it.
Created attachment 1265604 [details] dist-git patch fixing this bug Does this look right?
dnfdaemon-0.3.16-11.fc26 dnfdragora-1.0.0-8.git20170330.f30c75c.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-8.git20170330.f30c75c.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f
dnfdaemon-0.3.16-11.fc26 dnfdragora-1.0.0-10.git20170401.d018d08.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-11.git20170401.b97db68.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-11.git20170401.b97db68.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
dnfdaemon-0.3.16-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6250e8f561
dnfdaemon-0.3.16-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6250e8f561
dnfdaemon-0.3.16-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3fe6845d2
dnfdaemon-0.3.16-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
dnfdaemon-0.3.16-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3fe6845d2
dnfdaemon-0.3.16-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.