Story #1166
closed
As a user, I can install a crane-selinux rpm
100%
Description
python-crane has semanage statements in %post. These should be moved to a simple policy. The python-crane spec contains the following:
%post
semanage fcontext -a -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane
%postun
if [ $1 -eq 0 ] ; then # final removal
semanage fcontext -d -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane
fi
I do not think semanage is appropriate in the %post and %postun since it can cause confusion when some selinux-related items work but not others. IMO the statements should be removed in favor of either selinux setup documentation, or a policy file.
QE note: this bug is for a refactor and likely will not have anything to validate aside from regression testing.
Related issues
Updated by bmbouter over 8 years ago
- Triaged changed from No to Yes
On a mailing list it was suggested to make a simple selinux policy for crane and have the directory labels done in the fc file and the require of httpd_sys_content_t in the te file. Here's the e-mail explaining why:
Steve wrote:
The problem with doing that is that you encode special knowledge of the policy
in a script. There's no guarantee that httpd_sys_content_t will exist in any
future Fedora release or event between distributions.Maybe work with the selinux policy writer(s) to get that into policy so that
selinux knows how to label that directory correctly from the beginning. I want
to think that when you use semanage, its to fix something you've done locally
and unique to your system.
Updated by bmbouter over 8 years ago
- Tracker changed from Issue to Story
- Subject changed from python-crane has semanage statements in %post to As a user, I can install a crane-selinux rpm
- Description updated (diff)
- Groomed set to No
- Sprint Candidate set to No
Updated by bmbouter about 8 years ago
- Related to Issue #1572: Yum install python crane raising SE Linux errors added
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.