Bug 962081 - More fine-grained policycoreutils packaging
Summary: More fine-grained policycoreutils packaging
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-05-11 15:03 UTC by Kalev Lember
Modified: 2013-05-28 02:20 UTC (History)
3 users (show)

Fixed In Version: setroubleshoot-3.2.10-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-28 02:20:03 UTC
Type: Bug

Attachments (Terms of Use)
[PATCH] Move man pages and html docs to -doc subpackage (2.26 KB, text/plain)
2013-05-16 20:20 UTC, Kalev Lember
no flags Details

Description Kalev Lember 2013-05-11 15:03:02 UTC
The policycoreutils packaging changes are dragging in a number of new packages to the F19 live media, compared to F18:


We are oversize with the Desktop media and this hurts; the new packages are rather large.

As I understand, setroubleshoot-server that's on the live media requires audit2allow from the policycoreutils-devel package and this is dragging in the rest. Would it be possible to split audit2allow out from policycoreutils-devel to avoid pulling in the rest of the deps to the live media?

Comment 1 Daniel Walsh 2013-05-12 10:48:52 UTC
One option would be to eliminate setroubleshoot-server.

This is fairly difficult to break out, basically audit2allow and setroubleshoot require a large bit of SELinux Development environment to exists.

Eliminating audit2allow would be easy, but setroubleshoot is also using sepolicy commands and sepolicy commands can be used to generate policy.

Comment 2 Kalev Lember 2013-05-13 12:50:39 UTC
Fair enough; I was hoping it wouldn't be so hard since the deps weren't there for F18 GA.

What about selinux-policy-doc, is it needed for setroubleshoot to function? It's the largest of the new deps, 27 MB.

(In reply to comment #1)
> One option would be to eliminate setroubleshoot-server.

Do you mean eliminate setroubleshoot entirely from the live media?

Comment 3 Daniel Walsh 2013-05-13 14:00:13 UTC
The problem is setroubleshoot requires sepolicy and audit2allow to do its thing.

sepolicy and audit2allow are also used for policy development, so they are sucking in the selinux-policy-devel package which includes a large number of interfaces files and 800 man pages.

Do we remove man pages from the livecd?

Comment 4 Daniel Walsh 2013-05-13 14:14:06 UTC
Ok I can eliminate -doc requirements but this requires an update selinux-policy and policycoreutils package.

This will eliminate much of the overhead.

Fixed in policycoreutils-2.1.14-39.fc19.x86_64
Fixed in selinux-policy-3.12.1-44.fc19.noarch

Comment 5 Kalev Lember 2013-05-13 14:22:16 UTC
Very awesome, thanks! I'll see if I can get some people to test the update and karma it so that it gets in stable before the Beta freeze tomorrow.

Regarding man pages: no, we don't remove man pages or any other docs from the livecd -- everything that packages install gets included.

In the light of that, would it be worth moving the 800 man pages you mentioned + the html docs in /usr/share/selinux/devel/html from selinux-policy-devel to selinux-policy-doc?

Comment 6 Kalev Lember 2013-05-16 20:20:51 UTC
Created attachment 749043 [details]
[PATCH] Move man pages and html docs to -doc subpackage

Comment 7 Rahul Sundaram 2013-05-16 23:40:44 UTC
IMO, selinux-policy-devel is seriously misnamed.  -devel is solely meant for development headers and nothing else in the entire distribution.  only this component uses it to mean something else

Comment 8 Daniel Walsh 2013-05-17 12:22:18 UTC
-devel is the stuff required to develop SELinux Policy not the stuff to develop C code.  So interface files *if are the equivalent of *.h in a C sense.  Man pages could be moved.

I do not want to move the man pages to the -doc package because I really do not want to install the -doc package on most machines, but I want the man pages on most machines.  I could move the man pages to the base package which is probably where they belong, since they describe the policy, but again this makes the minimal install grow.

Comment 9 Rahul Sundaram 2013-05-17 17:38:22 UTC
Yes, that's the unusual part.  everywhere else in the distro -devel means just header files in c and not any other development tools and we have several scripts that assume that's the case.  for instance https://fedoraproject.org/wiki/Packaging:Guidelines#rpmdev-rmdevelrpms and qa even had a check to make -devel packages dont end in the general release by default.  this sole package breaks that convention.

Comment 10 Daniel Walsh 2013-05-17 21:14:44 UTC
Well if you can think of another name for the development package used to develop SELinux-Policy Modules, then pick a name.

Comment 11 Rahul Sundaram 2013-05-17 21:34:57 UTC
selinux-policy-devel-support for instance is a better name

Comment 12 Daniel Walsh 2013-05-18 10:10:16 UTC
I think we should bring this up for discussion on the fedora-devel list.  selinux-policy-devel has existed since Fedora 4, and it is a well known package name.

Comment 13 Kalev Lember 2013-05-21 11:13:03 UTC
(In reply to Daniel Walsh from comment #8)
> I do not want to move the man pages to the -doc package because I really do
> not want to install the -doc package on most machines, but I want the man
> pages on most machines.  I could move the man pages to the base package
> which is probably where they belong, since they describe the policy, but
> again this makes the minimal install grow.

Fair enough, that sounds like a good enough reason to keep them in -devel.

Moving them to the base package seems counter-productive for solving the size issues; if they don't belong to -doc, then -devel is a better place for them than the base package, in my opinion.

Comment 14 Daniel Walsh 2013-05-22 17:28:22 UTC
Well I just made some changes to remove setroubleshoot-server requirement on policycoreutils-devel, it now only requires policycoreutils-python, which should eliminate these packages from the livecd.

Comment 15 Fedora Update System 2013-05-22 17:31:45 UTC
setroubleshoot-3.2.10-1.fc19 has been submitted as an update for Fedora 19.

Comment 16 Kalev Lember 2013-05-22 18:41:34 UTC
Awesome, thank you!

Comment 17 Fedora Update System 2013-05-22 22:40:49 UTC
Package setroubleshoot-3.2.10-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing setroubleshoot-3.2.10-1.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2013-05-28 02:20:03 UTC
setroubleshoot-3.2.10-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.