Red Hat Bugzilla – Bug 962081
More fine-grained policycoreutils packaging
Last modified: 2013-05-27 22:20:03 EDT
The policycoreutils packaging changes are dragging in a number of new packages to the F19 live media, compared to F18: checkpolicy m4 policycoreutils-devel selinux-policy-devel selinux-policy-doc We are oversize with the Desktop media and this hurts; the new packages are rather large. As I understand, setroubleshoot-server that's on the live media requires audit2allow from the policycoreutils-devel package and this is dragging in the rest. Would it be possible to split audit2allow out from policycoreutils-devel to avoid pulling in the rest of the deps to the live media?
One option would be to eliminate setroubleshoot-server. This is fairly difficult to break out, basically audit2allow and setroubleshoot require a large bit of SELinux Development environment to exists. Eliminating audit2allow would be easy, but setroubleshoot is also using sepolicy commands and sepolicy commands can be used to generate policy.
Fair enough; I was hoping it wouldn't be so hard since the deps weren't there for F18 GA. What about selinux-policy-doc, is it needed for setroubleshoot to function? It's the largest of the new deps, 27 MB. (In reply to comment #1) > One option would be to eliminate setroubleshoot-server. Do you mean eliminate setroubleshoot entirely from the live media?
The problem is setroubleshoot requires sepolicy and audit2allow to do its thing. sepolicy and audit2allow are also used for policy development, so they are sucking in the selinux-policy-devel package which includes a large number of interfaces files and 800 man pages. Do we remove man pages from the livecd?
Ok I can eliminate -doc requirements but this requires an update selinux-policy and policycoreutils package. This will eliminate much of the overhead. Fixed in policycoreutils-2.1.14-39.fc19.x86_64 Fixed in selinux-policy-3.12.1-44.fc19.noarch
Very awesome, thanks! I'll see if I can get some people to test the update and karma it so that it gets in stable before the Beta freeze tomorrow. Regarding man pages: no, we don't remove man pages or any other docs from the livecd -- everything that packages install gets included. In the light of that, would it be worth moving the 800 man pages you mentioned + the html docs in /usr/share/selinux/devel/html from selinux-policy-devel to selinux-policy-doc?
Created attachment 749043 [details] [PATCH] Move man pages and html docs to -doc subpackage
IMO, selinux-policy-devel is seriously misnamed. -devel is solely meant for development headers and nothing else in the entire distribution. only this component uses it to mean something else
-devel is the stuff required to develop SELinux Policy not the stuff to develop C code. So interface files *if are the equivalent of *.h in a C sense. Man pages could be moved. I do not want to move the man pages to the -doc package because I really do not want to install the -doc package on most machines, but I want the man pages on most machines. I could move the man pages to the base package which is probably where they belong, since they describe the policy, but again this makes the minimal install grow.
Yes, that's the unusual part. everywhere else in the distro -devel means just header files in c and not any other development tools and we have several scripts that assume that's the case. for instance https://fedoraproject.org/wiki/Packaging:Guidelines#rpmdev-rmdevelrpms and qa even had a check to make -devel packages dont end in the general release by default. this sole package breaks that convention.
Well if you can think of another name for the development package used to develop SELinux-Policy Modules, then pick a name.
selinux-policy-devel-support for instance is a better name
I think we should bring this up for discussion on the fedora-devel list. selinux-policy-devel has existed since Fedora 4, and it is a well known package name.
(In reply to Daniel Walsh from comment #8) > I do not want to move the man pages to the -doc package because I really do > not want to install the -doc package on most machines, but I want the man > pages on most machines. I could move the man pages to the base package > which is probably where they belong, since they describe the policy, but > again this makes the minimal install grow. Fair enough, that sounds like a good enough reason to keep them in -devel. Moving them to the base package seems counter-productive for solving the size issues; if they don't belong to -doc, then -devel is a better place for them than the base package, in my opinion.
Well I just made some changes to remove setroubleshoot-server requirement on policycoreutils-devel, it now only requires policycoreutils-python, which should eliminate these packages from the livecd.
setroubleshoot-3.2.10-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-8419/setroubleshoot-3.2.10-1.fc19
Awesome, thank you!
Package setroubleshoot-3.2.10-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing setroubleshoot-3.2.10-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8419/setroubleshoot-3.2.10-1.fc19 then log in and leave karma (feedback).
setroubleshoot-3.2.10-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.