Bug 508922 - Review Request: system-config-selinux - GUI Code for system-config-selinux, polgen, and lockdown
Review Request: system-config-selinux - GUI Code for system-config-selinux, p...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: David Timms
Fedora Extras Quality Assurance
:
: 504809 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-30 10:43 EDT by Christopher Pardy
Modified: 2011-12-17 07:38 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-17 07:38:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
dtimms: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Christopher Pardy 2009-06-30 10:43:42 EDT
Spec URL: http://users.wpi.edu/~cpardy/rpms/scselinux.spec
SRPM URL: http://users.wpi.edu/~cpardy/rpms/scselinux-0-0.1a.src.rpm
Description: To better conform with the upstream the gui code that was previously in policycoreutils has been moved into it's own package and given a rewrite to use policy kit. This code implements the 3 guis, system-config-selinux polgengui and lockdown. These have in the past been implemented as a patch on fedora systems to the policycoreutils package. This code is not yet feature complete and does not yet have an upstream.
Comment 1 Susi Lehtola 2009-07-13 10:24:12 EDT
A few blockers:

- You are missing the Source URLs and the project URL.

- Requires: python should be dropped, it is automatically picked up by rpm.

- BuildRequires: python should be BuildRequires: python-devel. Also, use the sitelib macro at
http://fedoraproject.org/wiki/Packaging:Python
instead of hard coded paths.

- --vendor fedora is not used anymore. If you need to build in RHEL, use --vendor="".

- Preserve time stamps with install -p.

- You are mixing macro styles. Change the references to $RPM_BUILD_ROOT to %{buildroot} for consistency.
Comment 2 Christopher Pardy 2009-08-10 15:26:59 EDT
Spec URL: http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec
SRPM URL: http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz
Description: To better conform with the upstream the gui code that was
previously in policycoreutils has been moved into it's own package and given a
rewrite to use policy kit. This code implements the 2 guis,
system-config-selinux and polgengui. These have in the past been
implemented as a patch on fedora systems to the policycoreutils package.
Comment 3 Bill Nottingham 2009-08-10 15:31:38 EDT
The description should describe what the package does, not its development history.
Comment 4 Christopher Pardy 2009-08-11 07:14:05 EDT
fixed description, fixed spec file to actually create installable rpm.

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec
SRPM URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz
Description: system-config-selinux provides the graphical tools system-config-selinux and selinux-polgen for managing an SELinux system.
Comment 5 Christopher Pardy 2009-08-14 09:02:27 EDT
If someone could please take a look at this, as today is my last day as an intern here and it would be nice to be able to give some sort of status on this thing. Also actually fixed the SRPM to point to an srpm.

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec

SRPM URL:
system-config-selinux-0.2-2.fc11.src.rpm

Description: system-config-selinux provides the graphical tools
system-config-selinux and selinux-polgen for managing SELinux systems.
Comment 7 Christopher Pardy 2009-08-17 14:27:26 EDT
My RedHat email was deactivated, I'm adding my alternate email as cc.

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec

SRPM URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2-2.fc11.src.rpm

Description: system-config-selinux provides the graphical tools
system-config-selinux and selinux-polgen for managing SELinux systems.
Comment 8 Jason Tibbitts 2009-08-19 15:45:08 EDT
I'm sorry that nobody has looked at this; we have far more review submissions than reviewers, and far too much traffic for anyone to actually follow all of the bugzilla mail.  Posting to fedora-devel or dropping by #fedora-devel and requesting help is the best means of getting something time-sensitive noticed.

However, I tried to take a look, but the package failed to build for me.  It  looks like the makefile calls restorecon, which is not only a really bad idea since I don't think  it works as a regular user and there's no guarantee that the build filesystem supports contexts (think my home dir and NFS).  But I think that it actually fails because policycoreutils isn't installed as nothing in the package actually requires it.

Here's a scratch build showing the failure:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1615432
Comment 9 Christopher Pardy 2009-08-20 08:02:24 EDT
I couldn't get your build log to display, but I think I've added enough build requires for all the python files. I moved the chcon and restorecon to %post, hopefully that works.

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec

SRPM URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2-3.fc11.src.rpm

Description: system-config-selinux provides the graphical tools
system-config-selinux and selinux-polgen for managing SELinux systems.
Comment 10 Daniel Walsh 2009-08-20 08:49:31 EDT
You should not need any restorecon in the post,  rpm should handle this automatically.  Also do not use chcon in a spec file.  They will not survive a relabel.  If you install and the labeling is wrong, then it needs to be fixed in the selinux-policy package.
Comment 11 Christopher Pardy 2009-08-22 09:44:42 EDT
I've removed all the selinux commands, it should now build but requires packages that currently must be built out of koji to run.

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec

SRPM URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2-3.fc11.src.rpm

Description: system-config-selinux provides the graphical tools
system-config-selinux and selinux-polgen for managing SELinux systems.
Comment 12 Daniel Walsh 2009-09-24 22:55:27 EDT
Can we get this approved,  I really want to get it out in Fedora 12.
Comment 13 David Timms 2009-09-27 09:16:36 EDT
(In reply to comment #12)
> Can we get this approved,  I really want to get it out in Fedora 12.  
First step is reviewed / improved ...

(In reply to comment #11)
I don't think I have enough experience to be approving security related packages in Fedora. However, some initial nits:

1. package name differs from web page, so maybe fix the web page from (System-Config-Selinx) !

2. repeated requires:
Requires:	selinux-policy
Requires:	selinux-policy >= 3.6.28-4
-> which is it ?, I don't think it makes sense to have both.

3. Can you confirm that this package replaces policycoreutils-gui ?
Does the new package include all the old package's functionality ?

4. The normal place to put the python_sitelib call is at the top of the .spec, see:
http://fedoraproject.org/wiki/Packaging:Python#System_Architecture

5. description: typo in (graphcial). Perhaps instead of just repeating short names/acronyms, we could have something like spelling out the acronym during first stating of it:
---
This package contains two graphical tools for adjusting the mandatory access
control security settings, as implemented by Security Enhanced Linux (SELinux).
system-config-selinux provides an interface for configuring and managing SELinux, while selinux-polgengui is used to generate SELinux policy modules.
---
-> feel free to improve upon that !

6. For consistency, keep the two-line breaks between sections (for post, clean files, install)

7. Nice to see lines like ln... to be split over two lines, limiting spec to be mostly <= 80 chars wide.

8. avoid use of tab char, space is easier to peruse.

9. changelog: is not in required format:
- space between * and first char of date.
- space between - and item text
- version-release is not included for any entries. (think the space is missing as well, making those entries look weird.
- subprocesss ! 
- lines longer than 80chars.

10. how were the labelling problems fixed (were they added to the -targeted policy) ?

11. Is there any doc files that need to be included ?

12. Who is going to own this package going forward, since it seems the reporter is having trouble keeping the spec file consistent with itself, let alone the fedora packaging standards, is this a time problem ?

13. files: 
-config(noreplace) %{_datadir}/
  -> are people expected to make changes to configuration in /usr/share ?
-%{_sysconfdir}/dbus-1/system.d/org.fedoraproject.selinux.config.conf
  -> is this a file that needs the noreplace, ie are users expected to adjust this (potentially) ?

14. gui tools require icons, are some included, do some need to be requested of the artwork project ?

I haven't explicitly checked Provides nor BuildRequires.
Hopefully this helps move the review a little further on.
Comment 14 Christopher Pardy 2009-09-27 10:58:47 EDT
replies to comment #13 following spec and srpm stuff

Spec URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec

SRPM URL:
http://www.fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2-4.fc11.src.rpm

Description: system-config-selinux provides the graphical tools:
system-config-selinux and selinux-polgen for managing SELinux systems.

1. I made the project name on the wiki lowercase (you can explain to me why that was your first complaint later)

2. fixed

3. yes otherwise I wouldn't have included it in the spec.

4. misunderstood the meaning of "top", fixed.

5. Switched to your description. Maybe I'll think of something better later.

6. 2 line breaks between all sections now.

7. done.

8. fixed.

9. fixed.

10. yes added to policy, noted in comment now.

11. Not yet, I'll submit a docs package when there are.

12. I will maintain ownership.

13. yes this is why I included them in the spec.

14. icon's are included.
Comment 15 David Timms 2009-09-27 18:13:43 EDT
(In reply to comment #14)
> 1. I made the project name on the wiki lowercase (you can explain to me why
> that was your first complaint later)
Either the package name or the web site got the name wrong as
System-Config-Selinx, rather than
System-Config-Selinux
; I assumed it was the web site, but wanted to clarify, I see you fixed the spelling anyhow.

I haven't performed build, functionality, or md5sum checks yet, will do that maybe in the next day.

> 6. 2 line breaks between all sections now.
That looks good, except the changelog entries (they are all one section, and typically have single line breaks between each entry, like the break between sept27 and previous). 

Also, the version on each changelog entry is allowed to be one of:
* Tue Aug 24 2004 Alexander Larsson <alexl@redhat.com> - 2.7.4-2
* Thu Aug 19 2004 Alex Larsson <alexl@redhat.com> 2.7.4-1
see https://fedoraproject.org/wiki/Packaging/Guidelines#Changelogs

You can leave this until there is more to update.
Comment 16 David Timms 2009-10-05 08:18:06 EDT
Had a few cycles to look further at the package...
Additional items to sort out:

15. source0: upstream src location doesn't seem to be correct (or I am doing something wrong):

$ wget http://fedorahosted.org/released/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz
--2009-10-05 21:26:11--  http://fedorahosted.org/released/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz
Resolving fedorahosted.org... 66.135.52.17
Connecting to fedorahosted.org|66.135.52.17|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://fedorahosted.org/released/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz [following]
--2009-10-05 21:26:12--  https://fedorahosted.org/released/s/y/system-config-selinux/system-config-selinux-0.2.tar.gz
Connecting to fedorahosted.org|66.135.52.17|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2009-10-05 21:26:13 ERROR 404: Not Found.
=====
or via web browser:
Environment not found
=====
  this means I can't check the md5sum.

16. builds on f11 with the setools-libs-python from rawhide, OK.

17. rpmlint for .src.rpm:
$ rpmlint /home/davidt/rpmbuild/SRPMS/system-config-selinux-0.2-3.fc11.src.rpm
system-config-selinux.src: W: strange-permission selinux-polgengui.desktop 0755
system-config-selinux.src: W: strange-permission system-config-selinux.desktop 0755
system-config-selinux.src: W: strange-permission system-config-selinux.spec 0755
1 packages and 0 specfiles checked; 0 errors, 3 warnings.

-> change those file's perms to 644 before building the srpm, should solve this.

18. rpmlint for built package:
$ rpmlint /home/davidt/rpmbuild/RPMS/noarch/system-config-selinux-0.2-3.fc11.noarch.rpm
system-config-selinux.noarch: W: incoherent-version-in-changelog -0.2 ['0.2-3.fc11', '0.2-3']
-> as mentioned, need to have the release version matching the current spec release.

system-config-selinux.noarch: E: file-in-usr-marked-as-conffile /usr/share/PolicyKit/policy/org.fedoraproject.selinux.policy
-> I don't know whether in this case this actually makes sense, and would be allowed from the packaging perspective ? 
Is there another package you can point to that does this already ?

system-config-selinux.noarch: W: no-documentation
-> suggest creating at least a basic %doc piece describing basic usage of the two apps.

system-config-selinux.noarch: W: non-conffile-in-etc /etc/dbus-1/system.d/org.fedoraproject.selinux.config.conf
-> is that supposed to be adjustable by the user ie does it need %config, so that a user adjustment won't be overwritten during rpm -U ?

system-config-selinux.noarch: W: empty-%post
-> was there supposed to be something here, like reload of a service or similar ?

1 packages and 0 specfiles checked; 1 errors, 4 warnings.

19. running application:
-> I haven't installed to test. My machine is F11, and doesn't have selinux-policy >= 3.6.28-4. Would installing that version and running it cause issues ?
Comment 17 David Timms 2009-10-05 08:59:46 EDT
Looking at admin.fp.org suggests you have signed the cla, but are not yet in the packager group. This means that you will need a sponsor to oversee your packaging efforts. Unfortunately, I am not a sponsor, so that will have to be someone else. I'm removing myself from assignee.

With regard to getting sponsored, sponsors want to see that you are following / understanding / improving upon your knowledge of packaging for Fedora. This typically involves performing some pre-reviews on other packages in the Review Request queue:
http://fedoraproject.org/PackageReviewStatus/NEW.html

Also, I think there is a way to mark this review request as need sponsor, so that potential sponsors may find it more easily.
Comment 18 Daniel Walsh 2009-10-05 09:53:32 EDT
I can own this package and have Chris as a contributer.
Comment 19 Christopher Pardy 2009-10-05 10:35:35 EDT
Dave, thanks for the comments, again. Yes I had "released" instead of "releases", I've fixed that, I removed the post section, fixed up the file permissions. Running rpmlint on the srpm and spec now returns no errors. running on the rpm returns warnings for the lack of docs and a false warning for the .config file being in /etc (freedesktop's fault not mine). Dan, if you want to take ownership and get this approved please go ahead.
Comment 21 David Timms 2009-10-05 17:08:46 EDT
(In reply to comment #18)
> I can own this package and have Chris as a contributer.  
OK. Any ideas about whether testing this on f11 (by updating to rawhide / f12 -policy) would be a bad thing (before I kill my machine) ?
Comment 22 Christopher Pardy 2009-10-05 19:26:52 EDT
That's what I'm doing and my machine isn't dead so I think it's ok.
Comment 23 Daniel Walsh 2009-10-06 09:59:09 EDT
F12 policy should work fine on F11.
Comment 24 David Timms 2009-11-22 07:11:58 EST
(In reply to comment #20)
> source rpm:
> http://fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux-0.2-5.fc11.src.rpm
Sorry, getting back to this...

Builds OK.
Clicking system|administration|selinux management
Runtime:
=====
$ system-config-selinux 
Traceback (most recent call last):
  File "/usr/bin/system-config-selinux", line 265, in <module>
    win = MainWindow()
  File "/usr/bin/system-config-selinux", line 55, in __init__
    self.startup()
  File "/usr/lib/python2.6/site-packages/scselinux/async.py", line 24, in rplc
    return function(*pargs,**kargs)
  File "/usr/bin/system-config-selinux", line 59, in startup
    self.selinux = scselinux.Transaction()
  File "/usr/lib/python2.6/site-packages/scselinux/proxy.py", line 36, in __init__
    dbus_object = bus.get_object ("org.fedoraproject.selinux.config",'/org/fedoraproject/selinux/transaction')
  File "/usr/lib/python2.6/site-packages/dbus/bus.py", line 244, in get_object
    follow_name_owner_changes=follow_name_owner_changes)
  File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 241, in __init__
    self._named_service = conn.activate_name_owner(bus_name)
  File "/usr/lib/python2.6/site-packages/dbus/bus.py", line 183, in activate_name_owner
    self.start_service_by_name(bus_name)
  File "/usr/lib/python2.6/site-packages/dbus/bus.py", line 281, in start_service_by_name
    'su', (bus_name, flags)))
  File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.Spawn.ChildExited: Launch helper exited with unknown return code 1
=====
# system-config-selinux
Traceback (most recent call last):
  File "/usr/bin/system-config-selinux", line 265, in <module>
    win = MainWindow()
  File "/usr/bin/system-config-selinux", line 55, in __init__
    self.startup()
  File "/usr/lib/python2.6/site-packages/scselinux/async.py", line 24, in rplc
    return function(*pargs,**kargs)
  File "/usr/bin/system-config-selinux", line 86, in startup
    self.Pages = [general_config.Page(self),files_object.Page(self),file_equiv_object.Page(self),users_object.Page(self),ports_object.Page(self),processes_object.Page(self),policy_config.Page(self),booleans_config.Page(self)]
  File "/usr/share/system-config-selinux/pages/general_config.py", line 47, in __init__
    self.builder.add_from_file("ui/general_config.ui")
glib.GError: Duplicate object id 'vbox3' on line 469 (previously on line 11)
=====
So, at least under F12, i686 there is some trouble to sort out...
Comment 25 David Timms 2009-11-22 07:24:58 EST
There is a possibility that the above error is caused by something going wrong with nautilus (dbus error), yet:

I also got an selinux notification (note "system-config-s" not the full name):
=====
Summary:

SELinux is preventing /usr/bin/python "getsched" access.

Detailed Description:

SELinux denied access requested by system-config-s. It is not expected that this
access is required by system-config-s and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:semanage_t:s0-s0:c0.c1023
Target Context                system_u:system_r:semanage_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        system-config-s
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          davidtdesktop
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-46.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     davidtdesktop
Platform                      Linux davidtdesktop 2.6.31.5-127.fc12.i686.PAE #1
                              SMP Sat Nov 7 21:25:57 EST 2009 i686 athlon
Alert Count                   4
First Seen                    Sun 22 Nov 2009 10:56:40 PM EST
Last Seen                     Sun 22 Nov 2009 11:09:30 PM EST
Local ID                      796a9ac4-bdba-4327-baca-49f471fda2c6
Line Numbers                  

Raw Audit Messages            

node=davidtdesktop type=AVC msg=audit(1258891770.762:1341): avc:  denied  { getsched } for  pid=13802 comm="system-config-s" scontext=system_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:system_r:semanage_t:s0-s0:c0.c1023 tclass=process

node=davidtdesktop type=SYSCALL msg=audit(1258891770.762:1341): arch=40000003 syscall=157 success=no exit=-13 a0=35ea a1=ffffffc8 a2=6feff4 a3=b77576c0 items=0 ppid=13801 pid=13802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-s" exe="/usr/bin/python" subj=system_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null)

=====
SELinux Policy Generation Tool: starts up, but is delayed by maybe 5 seconds, giving me the impression that it isn't going to work, or that something has gone wrong.
Actually, the delay to any form of GUI appears is: time selinux-polgengui 

real	0m11.499s
user	0m10.022s
sys	0m0.064s

My preference would be for the GUI to appear immediately on the screen, but then show some sort of progress bar to indicate that it needs to do something (what) before it's is ready for user input. It's especially helpful if there are say 500 records to read, that the bar progresses appropriately (please don't implement Knight Rider ~progress bards).

The alternate is to call that function that makes an item appear in the task bar during the app start...
Comment 26 David Timms 2009-11-22 07:41:44 EST
SELinux Policy Generation Tool:
If you choose LoginUsers: Minimal Terminal user role.
move to the:
Select additional roles for this user:
, the list has two items named system.

I don't really understand how/why etc, but I would suggest two identical items is at the very least confusing, and either a bug in this tool, or in the data that it access from elsewhere.

Trying to apply those settings (I don;t actually know what I'm doing) generated an AVC, same as before.

Nothing is written to the policy folder that I requested to create as part of the tool.
Comment 27 Daniel Walsh 2009-11-23 10:36:46 EST
David, I will fix these bugs when this package gets released.  I currently have to support pretty much the same tool in F13. policycorutils-gui.  If we release this, we can remove that package and concentrate on fixing this tool
Comment 28 David Timms 2009-11-23 15:23:01 EST
(In reply to comment #27)
> If we release
> this, we can remove that package and concentrate on fixing this tool  
OK, assuming the release early, release often mantra, and I'm expecting this would only be added to F13 (rawhide).

One thing concerns me:
ln -sf %{_datadir}/system-config-selinux/polgengui.py \
       %{buildroot}%{_bindir}/selinux-polgengui
ln -sf %{_datadir}/system-config-selinux/system-config-selinux.py \
       %{buildroot}%{_bindir}/system-config-selinux

$ rpm --eval %{_bindir}
/usr/bin

$ rpm --eval %{buildroot}
/home/davidt/rpmbuild/BUILDROOT/%{name}-%{version}-%{release}.i386

$ rpm --eval %{_datadir}
/usr/share

So these are making a link from / to the raw build machine's 
buildroot location ?
    I'm probably misunderstanding how that works.

Otherwise, given the main app doesn't even start up, I'm happy enough to approve the package, so that it is in rawhide as soon as possible.

  Please consider the package APPROVED by dtimms.
Comment 29 Susi Lehtola 2009-11-23 15:47:31 EST
(In reply to comment #28)
> One thing concerns me:
> ln -sf %{_datadir}/system-config-selinux/polgengui.py \
>        %{buildroot}%{_bindir}/selinux-polgengui
> ln -sf %{_datadir}/system-config-selinux/system-config-selinux.py \
>        %{buildroot}%{_bindir}/system-config-selinux
 
> So these are making a link from / to the raw build machine's 
> buildroot location ?
>     I'm probably misunderstanding how that works.

This is normal for symbolic links. For instance the upper one creates a symbolic link that points to /usr/share/system-config-selinux/polgengui.py and places it in the bindir of the buildroot (since obviously you cannot create it elsewhere).

The link is broken when it is created (unless, of course, a previous version of the package is installed on the build system), but works in the rpm itself as long as there's no mistake in the spelling.
Comment 30 David Timms 2009-11-24 07:20:47 EST
(In reply to comment #29)
> This is normal for symbolic links. For instance the upper one creates a
> symbolic link that points to /usr/share/system-config-selinux/polgengui.py and
> places it in the bindir of the buildroot (since obviously you cannot create it
> elsewhere).
> 
> The link is broken when it is created (unless, of course, a previous version of
> the package is installed on the build system), but works in the rpm itself as
> long as there's no mistake in the spelling.  
OK, thanks Jussi for the explanation.

Is there any other package issues that you can see present (well, I approved it anyway (earlier)) ?

(In reply to comment #18) (Dan Walsh)
> I can own this package and have Chris as a contributer.  
Can/should the reporter be changed to Dan (as it is he who will request CVS, import it, own and so forth) ?
Comment 31 Susi Lehtola 2009-11-24 08:14:47 EST
OK, I had a look at the spec file and came up with a few comments:

- instead of
 %dir %{_datadir}/system-config-selinux
 %{_datadir}/system-config-selinux/*
I would suggest using just
 %{_datadir}/system-config-selinux/
which does the same thing. (Same for the python_sitelib).

- Isn't there a Python egg...?

- I think you should Requires: dbus for dir ownership.

- Dir issue:
$ yum provides /usr/share/PolicyKit/policy/
results in no matches.
$ yum provides /usr/share/PolicyKit/
results in no matches. Filed bug #540888.
Comment 32 Susi Lehtola 2009-11-25 09:19:52 EST
(In reply to comment #31)
> - Dir issue:
> $ yum provides /usr/share/PolicyKit/policy/
> results in no matches.
> $ yum provides /usr/share/PolicyKit/
> results in no matches. Filed bug #540888.  

Be advised, this has been fixed in control-center (the only other package that placed files in /usr/share/PolicyKit/policy/). You're using the wrong directory as well. Use
 %{_datadir}/polkit-1/actions/
for the policy file and add
 Requires: polkit 
for dir ownership.
Comment 33 Daniel Walsh 2009-11-25 14:51:14 EST
Ok I am changing the package location.
Comment 34 David Timms 2010-01-02 02:07:14 EST
As far as I can see CVS space under devel/system-config-selinux has not been created, and there hasn't been any updates to:
https://fedorahosted.org/releases/s/y/system-config-selinux/system-config-selinux.spec
to take into account (comment #31)

There is about 6x weeks left until F13:
2010-01-26 Feature Submission Deadline
2010-02-16 Alpha Freeze
Comment 35 Jason Tibbitts 2010-01-20 22:20:33 EST
Is anything happening here?  In response to comment 34, no CVS module has been created because CVS hasn't been requested; the last activity on this ticket was to remove the submitter address from CC (though I'm not sure what that would accomplish).

In addition, I see some other problems with this ticket:

The submitter of this ticket, cpardy, is not a member of the packager group.  Thus this ticket should block FE-NEEDSPONSOR, and the review must be done by a sponsor.

dtimms (or is it sunset, two accounts with the same name and same username at two different Australian ISPs makes it a bit confusing) is not a sponsor and so can't do the package review.

So, let's try to untangle the mess.  First, off:  Chris, did you still intend to submit this package?  If so, let's clear out the fedora-review flag, set FE-NEEDSPONSOR properly, and try to scare up a sponsor.  If not, let's close this out.  If someone else wants to submit this so it makes it into F13, they should open their own review ticket.
Comment 36 Daniel Walsh 2010-01-21 12:53:49 EST
*** Bug 504809 has been marked as a duplicate of this bug. ***
Comment 37 Daniel Walsh 2010-01-21 12:58:30 EST
New Package CVS Request
=======================
Package Name: system-config-selinux
Short Description: system-config-selinux is a utility for managing the SELinux environment
Owners: dwalsh chris.pardy 
Branches: F-13
InitialCC: mgrepl@redhat.com
Comment 38 Daniel Walsh 2010-01-21 13:01:03 EST
Jason, I want this package
Comment 39 Jason Tibbitts 2010-01-21 15:32:18 EST
"chris.pardy" is not a valid Fedora account; cannot add it as a commaintainer.  If you meant cpardy, that account is not sponsored and cannot own or comaintain packages.

"mgrepl@redhat.com" is not a valid Fedora account.  I assume you meant "mgrepl".

F-13 is not a valid branch; early branching for F-13 has not yet begun.

This whole thing has been highly irregular; generally the person who submits the package should be the one who requests CVS and should be the primary owner.  Barring you opening your own review ticket for a proper review, could we at least see the final package with the corrections from comment 31 posted somewhere?  And could you submit a corrected CVS request?
Comment 40 Daniel Walsh 2010-01-21 16:52:29 EST
New Package CVS Request
=======================
Package Name: system-config-selinux
Short Description: system-config-selinux is a utility for managing the SELinux
environment
Owners: dwalsh mgrepl
Branches: devel
InitialCC: cpardy
Comment 41 Kevin Fenzi 2010-01-31 14:13:43 EST
Dan / Christopher: Any reply to the questions in comment 35 and/or 39?

What can we do to get things moving here? 

It seems odd to approve a package that doesn't even run yet. Does it now?
Is there a link to that updated package?
Comment 42 Daniel Walsh 2010-02-03 09:43:36 EST
I have not been able to look at this, but it will not go in until F14 opens up, at this point.
Comment 43 Jens Petersen 2010-02-05 05:45:29 EST
Removing fedora‑cvs for now then.

Please re-request when ready.
Comment 44 Susi Lehtola 2011-12-16 05:02:29 EST
Ping Christopher, is this package (system-config-selinux) going anywhere..?
Comment 45 Daniel Walsh 2011-12-16 06:34:51 EST
No
Comment 46 Susi Lehtola 2011-12-16 07:00:19 EST
So.. can we close this bug?
Comment 47 Daniel Walsh 2011-12-17 07:38:12 EST
Well the effort here was never picked up.  Since I have never had time.

Note You need to log in before you can comment on or make changes to this bug.