Bug 214605 - Add some SE Linux specific checks
Summary: Add some SE Linux specific checks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-08 16:49 UTC by Steve Grubb
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 0.79-1
Clone Of:
Environment:
Last Closed: 2007-02-02 16:07:45 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Patch addressing the issues listed above (1.24 KB, patch)
2006-11-08 16:49 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2006-11-08 16:49:02 UTC
Description of problem:
rpmlint does not know about some SE Linux related problems that could exist in
scriptlets. For example, using chcon and runcon requires knowing a policy type -
which could change on a policy upgrade and completely break the scriptlet. I
will attach a patch that detects encoded policy knowledge in scriplets.

Version-Release number of selected component (if applicable):
rpmlint-0.78

Comment 1 Steve Grubb 2006-11-08 16:49:02 UTC
Created attachment 140668 [details]
Patch addressing the issues listed above

Comment 2 Ville Skyttä 2006-11-08 18:37:32 UTC
Thanks.  Could you submit a message that would be displayed when rpmlint is run
with -i/-I?  Ideally, the message should describe what's wrong and what to do
about it.  I'm thinking about something like this, but I'm not knowledgeable
enough about SELinux to write the "what to do about it" part:

  A command which may require intimate knowledge about specific SELinux
  policy types which are subject to change in future policies was found
  in the scriptlet. [Fill here what the packager should do about it.]

Comment 3 Steve Grubb 2006-11-08 18:49:00 UTC
Sure, here's the text slightly modified from above:

  A command which requires intimate knowledge about a specific SELinux
  policy type was found in the scriptlet. These types are subject to change
  on a policy version upgrade. The packager should should use the restorecon 
  command which querries the currently loaded policy for the correct type.

Comment 4 Ville Skyttä 2006-11-08 19:33:09 UTC
Applied upstream with further minor tweaks as
http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1293, will be in the next
rpmlint release.  Thanks!

Comment 5 Ville Skyttä 2007-02-02 16:07:45 UTC
Done in upcoming 0.79-1.


Note You need to log in before you can comment on or make changes to this bug.