c860f99
@@ -161,6 +161,7 @@
"plymouth",
"plymouth-system-theme",
"policycoreutils",
+ "policycoreutils-python-utils",
"polkit",
"procps-ng",
"pulseaudio",
This brings in semanage which allows users to manage local SELinux policy customizations.
semanage
Seems like this one should be in the common deps?
Offhand I'm surprised nothing in comps is pulling it in.
Oops! Missed that for some reason.
rebased onto c860f99
Updated :arrow_up:
@walters Offhand I'm surprised nothing in comps is pulling it in.
I agree. @sgallagh - should semanage be something that would be included in the workstation comps groups ?
FWIW if you just want to rebuild it's semodule -B.
semodule -B
@dustymabe @walters I’m not at my desk at the moment so I can’t check the dependencies, but in the past I think the reason this wasn’t part of comps is that we were trying to avoid having selinux-policy in the mandatory dependency chain so it was possible for people to do yum remove selinux-policy and not end up with a broken system.
yum remove selinux-policy
Does semanage still pull in selinux-policy or is it independent?
@sgallagh - here is what I see getting pulled in when I add it to a silverblue system:
Added: checkpolicy-2.8-2.fc29.x86_64 policycoreutils-python-utils-2.8-8.fc29.noarch python3-IPy-0.81-23.fc29.noarch python3-audit-3.0-0.4.20180831git0047a6c.fc29.x86_64 python3-libsemanage-2.8-4.fc29.x86_64 python3-policycoreutils-2.8-8.fc29.noarch python3-setools-4.1.1-13.fc29.x86_64
Then after a reboot I can actually remove selinux-policy altogether if I unlock the system:
bash-4.4# rpm -e selinux-policy error: Failed dependencies: selinux-policy = 3.14.2-40.fc29 is needed by (installed) selinux-policy-targeted-3.14.2-40.fc29.noarch selinux-policy >= 3.13.1-220 is needed by (installed) container-selinux-2:2.73-2.gitd7a3f33.fc29.noarch bash-4.4# bash-4.4# rpm -e selinux-policy-targeted error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Read-only file system) bash-4.4# rpm -e container-selinux error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Read-only file system) bash-4.4# bash-4.4# ostree admin unlock Development mode enabled. A writable overlayfs is now mounted on /usr. All changes there will be discarded on reboot. bash-4.4# rpm -e selinux-policy selinux-policy-targeted container-selinux warning: file /var/lib/selinux/targeted/semanage.trans.LOCK: remove failed: No such file or directory ... bash-4.4# echo $? 0 bash-4.4# rpm -q selinux-policy policycoreutils-python-utils package selinux-policy is not installed policycoreutils-python-utils-2.8-8.fc29.noarch
@sgallagh Does semanage still pull in selinux-policy or is it independent?
I think the answer to your question is no.
no
Ack, I have no remaining reservations.
@miabbott - can you open a PR to add that package to pagure.io/fedora-comps ? @sgallagh what group should it go in?
Probably "workstation-product", I guess?
can you open a PR to add that package to pagure.io/fedora-comps ?
https://pagure.io/fedora-comps/pull-request/345
This is now part of workstation-product and the latest comps sync (#117) pulls it in. Closing.
workstation-product
Pull-Request has been closed by miabbott
This brings in
semanage
which allows users to manage localSELinux policy customizations.