The new selinux subpackage adds too many dependencies and hence pulls in a huge amount of extra packages that are not needed to apply a selinux policy. It pulls in dependencies that are python2 based and so we get a bunch of unneeded stuff. Looking at the commit I don't think we should need any more than the first two lines (and probably only base) because the selinux-policy* packages will already pull in the appropriate dependencies to be able to apply selinux policies. +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): selinux-policy-targeted >= %{selinux_policyver} +Requires(post): policycoreutils, policycoreutils-python, libselinux-utils $ dnf upgrade Last metadata expiration check: 0:29:01 ago on Mon Dec 5 04:35:36 2016. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: audit-libs-python armv7hl 2.6.7-1.fc25 fedora 71 k checkpolicy armv7hl 2.5-8.fc25 fedora 264 k firewalld-selinux noarch 0.4.4.2-1.fc25 updates 79 k libcgroup armv7hl 0.41-9.fc25 fedora 63 k libselinux-python armv7hl 2.5-13.fc25 updates 221 k libsemanage-python armv7hl 2.5-8.fc25 fedora 102 k policycoreutils-python armv7hl 2.5-19.fc25 updates-testing 403 k python-IPy noarch 0.81-16.fc25 fedora 42 k python-libs armv7hl 2.7.12-7.fc25 fedora 5.7 M setools-libs armv7hl 3.3.8-12.fc25 fedora 495 k sqlite armv7hl 3.14.2-1.fc25 fedora 434 k Upgrading: firewalld noarch 0.4.4.2-1.fc25 updates 454 k firewalld-filesystem noarch 0.4.4.2-1.fc25 updates 68 k python3-firewall noarch 0.4.4.2-1.fc25 updates 351 k Transaction Summary ================================================================================ Install 11 Packages Upgrade 3 Packages Total download size: 8.7 M Is this ok [y/N]:
I have the same problem on rawhide Upgrading: firewall-config noarch 0.4.4.2-1.fc26 rawhide 153 k firewalld noarch 0.4.4.2-1.fc26 rawhide 454 k firewalld-filesystem noarch 0.4.4.2-1.fc26 rawhide 68 k python3-firewall noarch 0.4.4.2-1.fc26 rawhide 351 k Installing dependencies: audit-libs-python x86_64 2.6.7-1.fc26 rawhide 77 k firewalld-selinux noarch 0.4.4.2-1.fc26 rawhide 79 k libsemanage-python x86_64 2.5-8.fc26 rawhide 108 k policycoreutils-python x86_64 2.5-19.fc26 rawhide 404 k python-IPy noarch 0.81-16.fc25 rawhide 42 k There should be just "Requires(post): policycoreutils, libselinux-utils Post script in firewalld does not use python bindings and policycoreutils should install correct version of python bindings.
firewalld-selinux should require policycoreutils-python3 instead of policycoreutils-python for newer Fedora versions. According to https://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/ it is needed to have the requires post for policycoreutils, policycoreutils-python and libselinux-utils. I will change policycoreutils-python to policycoreutils-python3.
(In reply to Thomas Woerner from comment #2) > firewalld-selinux should require policycoreutils-python3 instead of > policycoreutils-python for newer Fedora versions. > > According to > https://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product- > policy/ it is needed to have the requires post for policycoreutils, > policycoreutils-python and libselinux-utils. > > I will change policycoreutils-python to policycoreutils-python3. Lukas Could you explain why it is necessary to require policycoreutils-python* Post scripts does not directly use python bindings. It just uses semodule, load_policy from policycoreutils and selinuxenabled from libselinux-utils.
(In reply to Thomas Woerner from comment #2) > firewalld-selinux should require policycoreutils-python3 instead of > policycoreutils-python for newer Fedora versions. I don't believe it should require anything more to apply the policies than is already required by the base polcies. Then if components wish to depend on any more functionality they should be able to do so whether it by py2, py3 or even something like golang or ruby binddings/utils etc to do so.
Lukas, It looks like issue in my blog, that's true. I shoudl fix it. Thanks. On the other hand, we know about this issue and firewalld-selinux will be reverted. Thomas, Please close this issue, after revert. Thanks.
What is the status on getting this fixed? It's not a complex change yet been broken for a number of weeks already.
I think this BZ is fixed by firewalld-0.4.4.2-2.fc26.noarch. Could you confirm and close BZ?
(In reply to Lukas Slebodnik from comment #7) > I think this BZ is fixed by firewalld-0.4.4.2-2.fc26.noarch. > Could you confirm and close BZ? Please push updates to the affected stable releases and put this bug in the update rather than closing it on rawhide as it's not fixed everywhere.
firewalld-0.4.4.2-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-64a6cb01f7
firewalld-0.4.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0641937c67
firewalld-0.4.4.2-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-64a6cb01f7
firewalld-0.4.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0641937c67
firewalld-0.4.4.2-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
firewalld-0.4.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Just wanted to mention that this push to stable was premature as it depends on a SELinux package which is still in updates-testing (https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33).