Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm Description: SELinux policy for EPEL packages Fedora Account System Username: plautrba
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== [!] selinux-policy-epel.spec:123 should probably use %{_datadir}/selinux/mls/epel-modules.lst instead of %{_datadir}/selinux/targeted/epel-modules.lst Running scriptlet: selinux-policy-epel-mls-40.13.26-1.el10.noarch 4/5 sed: can't read /usr/share/selinux/targeted/epel-modules.lst: No such file or directory semodule: option requires an argument -- 'i' usage: semodule [option]... MODE... Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. GPL-2.0 [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "GNU General Public License, Version 2", "Unknown or generated", "GNU General Public License v2.0 or later", "*No copyright* GNU General Public License". 3446 files have unknown license. GPL-2.0-or-later [!]: License file installed when any subpackage combination is installed. selinux-policy-epel-devel has no dependencies and does not contain a license file - it should probably require selinux-policy-epel selinux-policy-epel-targeted and selinux-policy-epel-mls require selinux-policy-targeted and selinux-policy-mls respectively, which both require selinux-policy, which installs the same license file as selinux-policy-epel (not sure it they should also require selinux-policy-epel) [x]: Package requires other packages for directories it uses. Note: No known owner of /var/lib/selinux/targeted/active/modules/200 and /var/lib/selinux/mls/active/modules/200 ^^^ should be fine since selinux-policy-targeted and selinux-policy-mls own /var/lib/selinux/targeted/active/modules and /var/lib/selinux/mls/active/modules respectively [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/selinux, /usr/share/selinux/devel, /var/lib/selinux/mls/active/modules/200, /var/lib/selinux/targeted/active/modules/200 /usr/share/selinux and /usr/share/selinux/devel are owned by selinux-policy, which should be required by selinux-policy-epel-devel [x]: Package does not own files or directories owned by other packages. Note: Dirs in package are owned also by: /usr/share/selinux/devel/include(selinux-policy-devel, tpm2-abrmd- selinux, container-selinux, qm) [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [!]: Requires correct, justified where necessary. selinux-policy-epel-devel should require selinux-policy-epel [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [!]: Package installs properly. selinux-policy-epel-mls fails without selinux-policy-epel-targeted (typo noted above) [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). Errors: Missing description tags no documentation (provided by selinux-policy-devel and selinux-policy-doc) selinux-policy-epel-devel.noarch: E: non-executable-script /usr/share/selinux/devel/include/include/support/segenxml.py 644 /usr/bin/python incorrect-fsf-address in /usr/share/licenses/selinux-policy-epel/COPYING [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [-]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in selinux- policy-epel-targeted , selinux-policy-epel-mls , selinux-policy-epel- devel [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Scriptlets must be sane, if used. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [!]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [!]: Spec use %global instead of %define unless justified. Note: %define requiring justification: %define makeConf() %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf install -p -m0644 ./%1/dist/%1/booleans.conf ./%1/policy/booleans.conf install -p -m0644 ./%1/dist/%1/users ./%1/policy/users # install -p -m0644 ./%1/dist/%1/modules.conf ./%1/policy/modules.conf %{SOURCE3} %{SOURCE2} ./%1/dist/%1/modules.conf enabled > ./%1/policy/modules.conf, %define makeModules() %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 modules, %define makeInstall() %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. ===== EXTRA items ===== Generic: [!]: Spec file according to URL is the same as in SRPM. Note: Spec file as given by url is not the same as in SRPM (see attached diff). [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment).
(In reply to Vit Mojzis from comment #2) > ===== MUST items ===== > [!] selinux-policy-epel.spec:123 should probably use > %{_datadir}/selinux/mls/epel-modules.lst instead of > %{_datadir}/selinux/targeted/epel-modules.lst > Running scriptlet: selinux-policy-epel-mls-40.13.26-1.el10.noarch > 4/5 > sed: can't read /usr/share/selinux/targeted/epel-modules.lst: No such > file or directory > semodule: option requires an argument -- 'i' > usage: semodule [option]... MODE... @@ -116,7 +117,7 @@ fi %selinux_relabel_pre -s mls %post mls -sed 's#^\(.*\)$#%{_datadir}/selinux/mls/\1.pp#' %{_datadir}/selinux/targeted/epel-modules.lst | xargs semodule -n -s mls -X 200 -i || : +sed 's#^\(.*\)$#%{_datadir}/selinux/mls/\1.pp#' %{_datadir}/selinux/mls/epel-modules.lst | xargs semodule -n -s mls -X 200 -i || : selinuxenabled && load_policy || : %posttrans mls > [!]: License file installed when any subpackage combination is installed. > selinux-policy-epel-devel has no dependencies and does not contain a > license file - it should probably require selinux-policy-epel > selinux-policy-epel-targeted and selinux-policy-epel-mls require > selinux-policy-targeted and selinux-policy-mls respectively, which > both require selinux-policy, which installs the same license file as > selinux-policy-epel (not sure it they should also require > selinux-policy-epel) @@ -37,6 +37,7 @@ Requires: selinux-policy-mls %package devel Summary: SELinux targeted policy for EPEL packages - header files +Requires: selinux-policy-devel %description devel > [!]: Package must own all directories that it creates. > Note: Directories without known owners: /usr/share/selinux, > /usr/share/selinux/devel, /var/lib/selinux/mls/active/modules/200, > /var/lib/selinux/targeted/active/modules/200 > /usr/share/selinux and /usr/share/selinux/devel are owned by > selinux-policy, which should be required by selinux-policy-epel-devel @@ -135,10 +136,12 @@ fi %license targeted/COPYING %files targeted -f %{_builddir}/targeted-epelmodules.lst +%dir %{_sharedstatedir}/selinux/active/active/200 %{_datadir}/selinux/targeted/epel-modules.lst %{_datadir}/selinux/targeted/*.pp %files mls -f %{_builddir}/mls-epelmodules.lst +%dir %{_sharedstatedir}/selinux/mls/active/200 %{_datadir}/selinux/mls/epel-modules.lst %{_datadir}/selinux/mls/*.pp > [!]: Requires correct, justified where necessary. > selinux-policy-epel-devel should require selinux-policy-epel @@ -37,6 +37,7 @@ Requires: selinux-policy-mls %package devel Summary: SELinux targeted policy for EPEL packages - header files +Requires: selinux-policy-devel %description devel > [!]: Package installs properly. > selinux-policy-epel-mls fails without selinux-policy-epel-targeted (typo > noted above) see above > [!]: Spec use %global instead of %define unless justified. > Note: %define requiring justification: %define makeConf() %make_build > -C %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare %make_build -C > %1 %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf install -p -m0644 > ./%1/dist/%1/booleans.conf ./%1/policy/booleans.conf install -p -m0644 > ./%1/dist/%1/users ./%1/policy/users # install -p -m0644 > ./%1/dist/%1/modules.conf ./%1/policy/modules.conf %{SOURCE3} > %{SOURCE2} ./%1/dist/%1/modules.conf enabled > > ./%1/policy/modules.conf, %define makeModules() %make_build -C %1 > %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp %make_build -C %1 > %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 modules, %define > makeInstall() %make_build -C %1 %common_params UNK_PERMS=%3 NAME=%1 > TYPE=%2 DESTDIR=%{buildroot} install %define is used for a local macros inside local contexts > Generic: > [!]: Spec file according to URL is the same as in SRPM. > Note: Spec file as given by url is not the same as in SRPM (see > attached diff). > [x]: Rpmlint is run on all installed packages. > Note: There are rpmlint messages (see attachment). updated: Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm Description: SELinux policy for EPEL packages Fedora Account System Username: plautrba
Copr build: https://copr.fedorainfracloud.org/coprs/build/8698251 (failed) Build log: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08698251-selinux-policy-epel/builder-live.log.gz Please make sure the package builds successfully at least for Fedora Rawhide. - If the build failed for unrelated reasons (e.g. temporary network unavailability), please ignore it. - If the build failed because of missing BuildRequires, please make sure they are listed in the "Depends On" field --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm [fedora-review-service-build]
Created attachment 2077800 [details] The .spec file difference from Copr build 8698251 to 8698754
Copr build: https://copr.fedorainfracloud.org/coprs/build/8698754 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08698754-selinux-policy-epel/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Created attachment 2077937 [details] The .spec file difference from Copr build 8698754 to 8702797
Copr build: https://copr.fedorainfracloud.org/coprs/build/8702797 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08702797-selinux-policy-epel/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Umm, hey folks? What's going on here? This package effectively conflicts with selinux-policy in base, so this package is currently not allowed to land in EPEL.
I share Neal's concerns. The -epel suffix is reserved for packages that provide missing RHEL/CentOS subpackages. https://docs.fedoraproject.org/en-US/epel/epel-policy-missing-sub-packages/ This source package is creating binary packages that seem to duplicate packages that are shipped in RHEL/CentOS. * selinux-policy-epel-devel * selinux-policy-epel-mls * selinux-policy-epel-targeted It also seems the selinux-policy-epel-devel package is doing a weird thing to avoid file conflicts with selinux-policy-devel by moving files into /usr/share/selinux/devel/include/include/ (note the double include directory).
This is supposed to be EPEL only package. I have not found any other way how to get it in. It ships only modules which are not shipped in selinux-policy-{targeted,mls} in RHEL therefore there should not be any conflict. > It also seems the selinux-policy-epel-devel package is doing a weird thing to avoid file conflicts with selinux-policy-devel by moving files into /usr/share/selinux/devel/include/include/ (note the double include directory). This is actually a bug and I will address it.
> It ships only modules which are not shipped in selinux-policy-{targeted,mls} in RHEL therefore there should not be any conflict. It should be "are not shipped in selinux-policy-{targeted,mls} in CentOS Stream 10"
> It ships only modules which are not shipped in selinux-policy-{targeted,mls} in CentOS Stream 10 therefore there should not be any conflict $ rpm -qpl selinux-policy-targeted-40.13.26-1.el10.noarch.rpm | sed -n '/100\/[^/]*$/ s#.*/100/##p' | sort > modules-centos.lst $ rpm -qpl selinux-policy-epel-targeted-40.13.26-1.fc43.noarch.rpm | sed -n '/200\/[^/]*$/ s#.*/200/##p' | sort > modules-epel.lst $ uniq -d modules-centos.lst modules-epel.lst $
> This is supposed to be EPEL only package. I have not found any other way how to get it in. EPEL-only packages are fairly rare and should not be needed in most cases. The primary case is for unshipped subpackages, as the docs I linked describes. Why does this need to be EPEL only? Are these policies in the Fedora selinux-policy package? If so, why are they not present in the RHEL package? Can these be included in the RHEL package? > This is actually a bug and I will address it. Once this is fixed, many paths will conflict with the RHEL selinux-policy-devel package, which is not allowed by EPEL policy. We have an exception to allow this only in the narrow use case of providing an alternate version of software for compatibility purposes. This is not the same situation. https://docs.fedoraproject.org/en-US/epel/epel-policy/#policy_for_conflicting_packages
(In reply to Carl George 🤠 from comment #16) > > This is supposed to be EPEL only package. I have not found any other way how to get it in. > > EPEL-only packages are fairly rare and should not be needed in most cases. > The primary case is for unshipped subpackages, as the docs I linked > describes. Why does this need to be EPEL only? Are these policies in the > Fedora selinux-policy package? If so, why are they not present in the RHEL > package? Can these be included in the RHEL package? Fedora is one big repo which contains all packages and Fedora selinux-policy therefore contains modules for all packages and it does not make sense to split it. OTOH since selinux-policy-targeted-40.13.26-1.el10 the policy packages ship only modules related to packages in CentOS Stream resp RHEL. It makes the policy smaller, operation with policy faster and so on. Packages that are in EPEL are supposed to be confined by this selinux-policy-epel package. Therefore this split. Also selinux-policy-epel-{targeted, mls} uses for modules priority 200 instead of 100 as it used in https://fedoraproject.org/wiki/SELinux/IndependentPolicy It makes it clear which module comes from CentOS Stream selinux-policy and which comes from EPEL. > > This is actually a bug and I will address it. > > Once this is fixed, many paths will conflict with the RHEL > selinux-policy-devel package, which is not allowed by EPEL policy. We have > an exception to allow this only in the narrow use case of providing an > alternate version of software for compatibility purposes. This is not the > same situation. > > https://docs.fedoraproject.org/en-US/epel/epel-policy/ > #policy_for_conflicting_packages The fix will be more in sense do not ship interface files from base policy in epel policy and vice versa. Similar to policy subpackage where there's no conflict as demonstrated in #c15. Or maybe i'll drop selinux-policy-epel-devel completely as it would be covered by selinux-policy-devel. Not sure, need to do some investigation.
Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm [fedora-review-service-build] I've disabled selinux-policy-epel-devel subpackage as all interfaces are currently shipped in CentOS Stream 10. When they are removed, I will re-enable selinux-policy-epel-devel again.
Created attachment 2078062 [details] The .spec file difference from Copr build 8702797 to 8706169
Copr build: https://copr.fedorainfracloud.org/coprs/build/8706169 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08706169-selinux-policy-epel/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm [fedora-review-service-build] - fixed active/modules dir path - added Supplements: for base packages
Copr build: https://copr.fedorainfracloud.org/coprs/build/8708748 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08708748-selinux-policy-epel/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel.spec SRPM URL: https://fedorapeople.org/~plautrba/selinux-policy-epel/selinux-policy-epel-40.13.26-1.fc43.src.rpm
Created attachment 2078214 [details] The .spec file difference from Copr build 8708748 to 8709736
Copr build: https://copr.fedorainfracloud.org/coprs/build/8709736 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2346531-selinux-policy-epel/fedora-rawhide-x86_64/08709736-selinux-policy-epel/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
All reported issues fixed, approving.
The Pagure repository was created at https://src.fedoraproject.org/rpms/selinux-policy-epel
FEDORA-EPEL-2025-a4ccc862bb (selinux-policy-epel-40.13.26-1.el10_1) has been submitted as an update to Fedora EPEL 10.1. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-a4ccc862bb
FEDORA-EPEL-2025-a4ccc862bb has been pushed to the Fedora EPEL 10.1 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-a4ccc862bb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2025-a4ccc862bb (selinux-policy-epel-40.13.26-1.el10_1) has been pushed to the Fedora EPEL 10.1 stable repository. If problem still persists, please make note of it in this bug report.