Bug 185434 - RFE: SELinux policy module support in RPM
RFE: SELinux policy module support in RPM
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Packaging Toolset Team
: FutureFeature
Depends On:
Blocks: 181563
  Show dependency treegraph
 
Reported: 2006-03-14 14:53 EST by Daniel Walsh
Modified: 2015-06-12 07:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-12 07:56:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2006-03-14 14:53:46 EST
Description of problem:

We need support for rpm to install the policy module and updating the kernel
before placing files down on the system.  It then needs to trigger an update of
file context when complete.
Comment 1 Paul Nasrat 2006-03-14 14:57:30 EST
Could you give more details of your requirements and expectations.
Comment 2 Daniel Walsh 2006-03-14 15:59:26 EST
Yes I was just putting this as a place holder since I think we need to discuss
this in a meeting.  What I am envisioning right now, is something where the
specfile would indicate the policy files

%(policy) myapp.pp

And this file could be placed in some temporary location on the system and a
semodule -i /TMPLOCATION/myapp.pp 
would happen.  This would cause the policy to be rebuilt and reload and the
file_context file to be updated.  At this point the rpm would proceed to place
files on disk.

Two problems with this is that if several packages were providing policy, each
one would need to do the semodule thing and this would take a very long time. 
So it would be better if we could put them into some kind of transaction.  So
all policy files get updated first.  Then the RPMs get installed.

Finally as a post install step the file context difference program would be run
to fix any file contexts that had been altered.

Dan
Comment 3 Jeff Johnson 2006-03-15 10:07:53 EST
Extracting myapp.pp from payload in order to do %pretrans is the fundamental design problem.
Adding myapp.pp to metadata bloatery, either through additional tag, or by inlining in %pretrans,
is the dirty and expedient hack. Anything else will require extensive changes, like splitting
into subtransactions, or reading the payload multiple times.
Comment 4 Red Hat Bugzilla 2007-08-21 01:22:30 EDT
User pnasrat@redhat.com's account has been closed
Comment 5 Panu Matilainen 2007-08-22 02:30:11 EDT
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Comment 6 Jon Stanley 2008-04-23 16:28:43 EDT
Adding FutureFeature keyword to RFE's.
Comment 7 Fedora Admin XMLRPC Client 2012-04-13 19:12:07 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2012-04-13 19:13:57 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Florian Festi 2015-06-12 07:56:29 EDT
Hmm, no news for 9 years...

There is a selinux plugin nowadays. I just assume that it does what is needed. Closing.

Note You need to log in before you can comment on or make changes to this bug.