Bug 1401378 - firewalld 0.4.4.2 incorrectly pulls in python2 dependencies due to selinux sub package [NEEDINFO]
Summary: firewalld 0.4.4.2 incorrectly pulls in python2 dependencies due to selinux su...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: depchain
TreeView+ depends on / blocked
 
Reported: 2016-12-05 05:08 UTC by Peter Robinson
Modified: 2017-01-08 02:46 UTC (History)
5 users (show)

Fixed In Version: firewalld-0.4.4.2-2.fc25 firewalld-0.4.4.2-2.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-31 06:50:28 UTC
Type: Bug
pbrobinson: needinfo? (twoerner)
lslebodn: needinfo? (twoerner)


Attachments (Terms of Use)

Description Peter Robinson 2016-12-05 05:08:32 UTC
The new selinux subpackage adds too many dependencies and hence pulls in a huge amount of extra packages that are not needed to apply a selinux policy. It pulls in dependencies that are python2 based and so we get a bunch of unneeded stuff.

Looking at the commit I don't think we should need any more than the first two lines (and probably only base) because the selinux-policy* packages will already pull in the appropriate dependencies to be able to apply selinux policies.

+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires(post): policycoreutils, policycoreutils-python, libselinux-utils

$ dnf upgrade
Last metadata expiration check: 0:29:01 ago on Mon Dec  5 04:35:36 2016.
Dependencies resolved.
================================================================================
 Package                  Arch      Version             Repository         Size
================================================================================
Installing:
 audit-libs-python        armv7hl   2.6.7-1.fc25        fedora             71 k
 checkpolicy              armv7hl   2.5-8.fc25          fedora            264 k
 firewalld-selinux        noarch    0.4.4.2-1.fc25      updates            79 k
 libcgroup                armv7hl   0.41-9.fc25         fedora             63 k
 libselinux-python        armv7hl   2.5-13.fc25         updates           221 k
 libsemanage-python       armv7hl   2.5-8.fc25          fedora            102 k
 policycoreutils-python   armv7hl   2.5-19.fc25         updates-testing   403 k
 python-IPy               noarch    0.81-16.fc25        fedora             42 k
 python-libs              armv7hl   2.7.12-7.fc25       fedora            5.7 M
 setools-libs             armv7hl   3.3.8-12.fc25       fedora            495 k
 sqlite                   armv7hl   3.14.2-1.fc25       fedora            434 k
Upgrading:
 firewalld                noarch    0.4.4.2-1.fc25      updates           454 k
 firewalld-filesystem     noarch    0.4.4.2-1.fc25      updates            68 k
 python3-firewall         noarch    0.4.4.2-1.fc25      updates           351 k

Transaction Summary
================================================================================
Install  11 Packages
Upgrade   3 Packages

Total download size: 8.7 M
Is this ok [y/N]:

Comment 1 Lukas Slebodnik 2016-12-05 07:43:07 UTC
I have the same problem on rawhide

Upgrading:
 firewall-config             noarch      0.4.4.2-1.fc26      rawhide      153 k
 firewalld                   noarch      0.4.4.2-1.fc26      rawhide      454 k
 firewalld-filesystem        noarch      0.4.4.2-1.fc26      rawhide       68 k
 python3-firewall            noarch      0.4.4.2-1.fc26      rawhide      351 k
Installing dependencies:
 audit-libs-python           x86_64      2.6.7-1.fc26        rawhide       77 k
 firewalld-selinux           noarch      0.4.4.2-1.fc26      rawhide       79 k
 libsemanage-python          x86_64      2.5-8.fc26          rawhide      108 k
 policycoreutils-python      x86_64      2.5-19.fc26         rawhide      404 k
 python-IPy                  noarch      0.81-16.fc25        rawhide       42 k

There should be just "Requires(post): policycoreutils, libselinux-utils
Post script in firewalld does not use python bindings and policycoreutils should
install correct version of python bindings.

Comment 2 Thomas Woerner 2016-12-05 12:04:29 UTC
firewalld-selinux should require policycoreutils-python3 instead of policycoreutils-python for newer Fedora versions.

According to https://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/ it is needed to have the requires post for policycoreutils, policycoreutils-python and libselinux-utils.

I will change policycoreutils-python to policycoreutils-python3.

Comment 3 Lukas Slebodnik 2016-12-05 12:10:31 UTC
(In reply to Thomas Woerner from comment #2)
> firewalld-selinux should require policycoreutils-python3 instead of
> policycoreutils-python for newer Fedora versions.
> 
> According to
> https://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-
> policy/ it is needed to have the requires post for policycoreutils,
> policycoreutils-python and libselinux-utils.
> 
> I will change policycoreutils-python to policycoreutils-python3.
Lukas
Could you explain why it is necessary to require policycoreutils-python*
Post scripts does not directly use python bindings.
It just uses semodule, load_policy from policycoreutils and  selinuxenabled from libselinux-utils.

Comment 4 Peter Robinson 2016-12-05 12:48:08 UTC
(In reply to Thomas Woerner from comment #2)
> firewalld-selinux should require policycoreutils-python3 instead of
> policycoreutils-python for newer Fedora versions.

I don't believe it should require anything more to apply the policies than is already required by the base polcies. Then if components wish to depend on any more functionality they should be able to do so whether it by py2, py3 or even something like golang or ruby binddings/utils etc to do so.

Comment 5 Lukas Vrabec 2016-12-06 15:50:56 UTC
Lukas, 
It looks like issue in my blog, that's true. I shoudl fix it.
Thanks.  

On the other hand, we know about this issue and firewalld-selinux will be reverted. 

Thomas, 
Please close this issue, after revert. 

Thanks.

Comment 6 Peter Robinson 2016-12-20 07:20:16 UTC
What is the status on getting this fixed? It's not a complex change yet been broken for a number of weeks already.

Comment 7 Lukas Slebodnik 2016-12-22 23:18:40 UTC
I think this BZ is fixed by firewalld-0.4.4.2-2.fc26.noarch.
Could you confirm and close BZ?

Comment 8 Peter Robinson 2016-12-23 00:38:47 UTC
(In reply to Lukas Slebodnik from comment #7)
> I think this BZ is fixed by firewalld-0.4.4.2-2.fc26.noarch.
> Could you confirm and close BZ?

Please push updates to the affected stable releases and put this bug in the update rather than closing it on rawhide as it's not fixed everywhere.

Comment 9 Fedora Update System 2016-12-28 01:36:18 UTC
firewalld-0.4.4.2-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-64a6cb01f7

Comment 10 Fedora Update System 2016-12-28 01:36:26 UTC
firewalld-0.4.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0641937c67

Comment 11 Fedora Update System 2016-12-28 22:50:09 UTC
firewalld-0.4.4.2-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-64a6cb01f7

Comment 12 Fedora Update System 2016-12-29 00:50:08 UTC
firewalld-0.4.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0641937c67

Comment 13 Fedora Update System 2016-12-31 06:50:28 UTC
firewalld-0.4.4.2-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2017-01-06 21:49:55 UTC
firewalld-0.4.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Felix Schwarz 2017-01-07 21:30:33 UTC
Just wanted to mention that this push to stable was premature as it depends on a SELinux package which is still in updates-testing (https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33).


Note You need to log in before you can comment on or make changes to this bug.