Bug 1395531 - dnfdaemon package requires many SELinux-related dependencies
Summary: dnfdaemon package requires many SELinux-related dependencies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnfdaemon
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Neal Gompa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: depchain
TreeView+ depends on / blocked
 
Reported: 2016-11-16 05:54 UTC by Kevin Kofler
Modified: 2017-04-17 20:53 UTC (History)
2 users (show)

Fixed In Version: dnfdaemon-0.3.16-11.fc26 dnfdaemon-0.3.16-3.fc25 dnfdaemon-0.3.16-3.fc24
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-17 20:53:19 UTC
Type: Bug


Attachments (Terms of Use)
dist-git patch fixing this bug (3.33 KB, patch)
2017-03-23 06:45 UTC, Kevin Kofler
no flags Details | Diff

Description Kevin Kofler 2016-11-16 05:54:04 UTC
Description of problem:
The dnfdaemon package drags in many SELinux-related dependencies that are not otherwise needed on a system with SELinux disabled. They are only used to tweak the SELinux policy in %pre and %post, which has no effect whatsoever on such a system.

Version-Release number of selected component (if applicable):
dnfdaemon-0.3.16-2.fc26.noarch
dnfdaemon-0.3.16-2.fc25.noarch
dnfdaemon-0.3.16-1.fc24.noarch
dnfdaemon-0.3.16-1.fc23.noarch

How reproducible:
Always

Steps to Reproduce:
1. Take a minimal system with as much SELinux stuff as possible removed.
2. dnf install dnfdaemon

Actual results:
Installs all of:
audit-libs-python3
checkpolicy
dnfdaemon
libcgroup
libsemanage-python3
policycoreutils-python-utils
policycoreutils-python3
python-IPy-python3
setools-libs

Expected results:
Installs only dnfdaemon.

Additional info:
This is all the more annoying because DNF won't let me remove the dependencies even after the package is installed, even though they are technically only used in %pre and %post.

Some approaches how this could be addressed:
* Could this maybe be handled the way gtk-update-icon-cache is, where the Requires(pre) and Requires(post) are deliberately omitted, just letting it fall to the "|| :" if gtk-update-icon-cache is not installed? If I don't have SELinux, the scriptlet will not do anything anyway.
* Could the scriptlets be split into a -selinux subpackage? Maybe dragged in as a soft dependency (Recommends) that can be excluded?
* Could the required tweaks just be upstreamed into selinux-policy so that the package doesn't have to hack around SELinux stuff at all?

Comment 1 Kevin Kofler 2016-11-16 05:55:38 UTC
(My system is not actually all that minimal at all, but it did have all the SELinux stuff I got away with removing removed.)

Comment 2 Neal Gompa 2016-11-17 12:49:54 UTC
Two valid approaches for SELinux stuff in Fedora:

* Creating a selinux subpackage that provides an SELinux module

* Upstreaming the necessary fixes into selinux-policy

In the former approach, the subpackage must be required by the main package (Fedora policy). This is the way to get it done quickly. The latter approach may take more time, and won't necessarily fix it for everyone, depending on whether selinux-policy changes are backported to all Fedora releases or not.

The way that the SELinux support is done in here is not an acceptable path for Fedora.

There is no approach, short term, that will fix your problem, Kevin.

Comment 3 Kevin Kofler 2016-11-17 13:39:27 UTC
> In the former approach, the subpackage must be required by the main package
> (Fedora policy).

Why would a Recommends not be enough?

Comment 4 Kevin Kofler 2016-11-17 18:58:44 UTC
To elaborate on this, if you use Requires to drag in the -selinux subpackage, you may as well not make a subpackage, it does not buy us anything. If you use Recommends, on the other hand, it allows people to opt out.

Another approach (probably even better) would be to use boolean dependencies (conditional on selinux-policy), but they are not currently allowed in Requires and Recommends due to technical limitations (https://fedoraproject.org/wiki/Packaging:Guidelines#Rich.2FBoolean_dependencies), so you would have to do the reverse:

%package selinux
# note and, not if: http://rpm.org/user_doc/boolean_dependencies.html#cautionary-tale-about-if
Supplements: (dnfdaemon and selinux-policy)
Requires(pre): policycoreutils-python-utils
Requires(post): policycoreutils-python-utils

Comment 5 Fedora Admin XMLRPC Client 2017-03-22 10:11:45 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 6 Fedora Admin XMLRPC Client 2017-03-22 10:21:06 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 Neal Gompa 2017-03-22 10:35:42 UTC
If you propose a dist-git patch with the subpackage thing, I'd apply it.

Comment 8 Kevin Kofler 2017-03-23 06:45:31 UTC
Created attachment 1265604 [details]
dist-git patch fixing this bug

Does this look right?

Comment 9 Fedora Update System 2017-03-30 20:11:55 UTC
dnfdaemon-0.3.16-11.fc26 dnfdragora-1.0.0-8.git20170330.f30c75c.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f

Comment 10 Fedora Update System 2017-03-31 16:51:29 UTC
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-8.git20170330.f30c75c.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f

Comment 11 Fedora Update System 2017-04-01 16:41:13 UTC
dnfdaemon-0.3.16-11.fc26 dnfdragora-1.0.0-10.git20170401.d018d08.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f

Comment 12 Fedora Update System 2017-04-03 03:51:11 UTC
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-11.git20170401.b97db68.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-171efc2a0f

Comment 13 Fedora Update System 2017-04-03 16:08:10 UTC
dnfdaemon-0.3.16-11.fc26, dnfdragora-1.0.0-11.git20170401.b97db68.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2017-04-15 18:10:11 UTC
dnfdaemon-0.3.16-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6250e8f561

Comment 15 Fedora Update System 2017-04-16 00:53:27 UTC
dnfdaemon-0.3.16-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6250e8f561

Comment 16 Fedora Update System 2017-04-16 08:03:30 UTC
dnfdaemon-0.3.16-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3fe6845d2

Comment 17 Fedora Update System 2017-04-16 20:23:56 UTC
dnfdaemon-0.3.16-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-04-16 21:23:31 UTC
dnfdaemon-0.3.16-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3fe6845d2

Comment 19 Fedora Update System 2017-04-17 20:53:19 UTC
dnfdaemon-0.3.16-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.