Bug 185434 - RFE: SELinux policy module support in RPM
Summary: RFE: SELinux policy module support in RPM
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Packaging Toolset Team
QA Contact:
Depends On:
Blocks: 181563
TreeView+ depends on / blocked
Reported: 2006-03-14 19:53 UTC by Daniel Walsh
Modified: 2015-06-12 11:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2015-06-12 11:56:29 UTC
Type: ---

Attachments (Terms of Use)

Description Daniel Walsh 2006-03-14 19:53:46 UTC
Description of problem:

We need support for rpm to install the policy module and updating the kernel
before placing files down on the system.  It then needs to trigger an update of
file context when complete.

Comment 1 Paul Nasrat 2006-03-14 19:57:30 UTC
Could you give more details of your requirements and expectations.

Comment 2 Daniel Walsh 2006-03-14 20:59:26 UTC
Yes I was just putting this as a place holder since I think we need to discuss
this in a meeting.  What I am envisioning right now, is something where the
specfile would indicate the policy files

%(policy) myapp.pp

And this file could be placed in some temporary location on the system and a
semodule -i /TMPLOCATION/myapp.pp 
would happen.  This would cause the policy to be rebuilt and reload and the
file_context file to be updated.  At this point the rpm would proceed to place
files on disk.

Two problems with this is that if several packages were providing policy, each
one would need to do the semodule thing and this would take a very long time. 
So it would be better if we could put them into some kind of transaction.  So
all policy files get updated first.  Then the RPMs get installed.

Finally as a post install step the file context difference program would be run
to fix any file contexts that had been altered.


Comment 3 Jeff Johnson 2006-03-15 15:07:53 UTC
Extracting myapp.pp from payload in order to do %pretrans is the fundamental design problem.
Adding myapp.pp to metadata bloatery, either through additional tag, or by inlining in %pretrans,
is the dirty and expedient hack. Anything else will require extensive changes, like splitting
into subtransactions, or reading the payload multiple times.

Comment 4 Red Hat Bugzilla 2007-08-21 05:22:30 UTC
User pnasrat's account has been closed

Comment 5 Panu Matilainen 2007-08-22 06:30:11 UTC
Reassigning to owner after bugzilla made a mess, sorry about the noise...

Comment 6 Jon Stanley 2008-04-23 20:28:43 UTC
Adding FutureFeature keyword to RFE's.

Comment 7 Fedora Admin XMLRPC Client 2012-04-13 23:12:07 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 8 Fedora Admin XMLRPC Client 2012-04-13 23:13:57 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Florian Festi 2015-06-12 11:56:29 UTC
Hmm, no news for 9 years...

There is a selinux plugin nowadays. I just assume that it does what is needed. Closing.

Note You need to log in before you can comment on or make changes to this bug.