As discussed in bug 230512, rpmlint's forbidden-selinux-command-* checks could be improved to detect more cases where "knowledge" of various SELinux types is embedded in specfiles. Such commands which are not currently flagged include: - semanage with -t/--type What about these? - semanage with -r/--range - semanage with -s/--seuser - semanage with -P/--prefix - semanage with -R/--role - semanage with -T/--trans
See also the original bug for forbidden SELinux commands: bug 214605 The -I message rpmlint gives should probably also be adjusted; if a package needs to modify the policy, restorecon alone doesn't accomplish that.
Adding FutureFeature keyword to RFE's.
Steve, you reported bug 214605 earlier - do you have any comments on this?
Yes, it would be good to catch any knowledge of policy in spec files. Policy could change at any time and the types, role, and ranges be suddenly obsolete.
Thanks, Steve. So if I understand you correctly, we'd want an error message from rpmlint if semanage is used with -t, --type, -R, --role, -r, or --range. Are there legitimate use cases for semanage with some of its other arguments in scriptlets, or should we output the error message for every semanage use, no matter what the arguments to it are?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
I think we can close this.