container-selinux install on non selinux-policy-targeted systems #332
Conversation
|
@lsm5 PTAL |
|
@ewee33 PTAL |
|
Ephemeral COPR build failed. @containers/packit-build please check. |
rhatdan
changed the title
|
/packit build |
rpm/container-selinux.spec
Outdated
| @@ -51,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version | |||
| # RE: rhbz#1195804 - ensure min NVR for selinux-policy | |||
| Requires: selinux-policy >= %_selinux_policy_version | |||
| Requires(post): selinux-policy-base >= %_selinux_policy_version | |||
| Requires(post): selinux-policy-targeted >= %_selinux_policy_version | |||
| Requires(post): selinux-policy-any >= %_selinux_policy_version | |||
| Recommends(post): selinux-policy-targeted >= %_selinux_policy_version | |||
There was a problem hiding this comment.
doesn't look like Recommends(post) is a thing. Also, should we even recommend install of -targeted on non-targeted systems? Maybe we can just delete this line?
There was a problem hiding this comment.
rpm builds are failing on Unknown tag: Recommends(post): selinux-policy-targeted >= %_selinux_policy_version
There was a problem hiding this comment.
I think we should remove the (post) then.
There was a problem hiding this comment.
that would probably end up installing -targeted on MLS systems unless it's a fedora-server or another environment where weak dependencies are ignored. Is that acceptable?
There was a problem hiding this comment.
Err, my bad. It won't install -targeted if something else is present. Anyway, it'd be good to have this verified on an MLS env before merge. @ewee33 could you try to install the test rpms? See https://dashboard.packit.dev/jobs/copr/1883709 for instructions
There was a problem hiding this comment.
Unfortunately my system is RHEL 8, and the build only has an epel-9 version. Are you able to make an epel-8 version? Or alternatively are you able to provide instructions on how I could build the RPM from source on my RHEL 8 system?
There was a problem hiding this comment.
@ewee33 I'm afraid making it build on rhel8 envs could be quite a bit of trouble, especially with selinux-policy and other dependencies being a lot older. Any chance you could switch your machine to EL9 or fedora?
I can send out the build instructions to you in a bit, but if things break, you're probably on your own.
There was a problem hiding this comment.
@lsm5 unfortunately I don't think switching to EL9 or fedora is an option for me.
So does this package no longer support RHEL 8? Is that a recent development? I have been working with the container-selinux-2:2.229.0-2.module+el8.10.0+22202+761b9a65.noarch RPM, which seems to support RHEL 8 systems. If RHEL 8 is no longer supported, it seems like I won't be able to install this package directly from a dnf install.
I would still appreciate build instructions if it's not too much trouble. I can try to revert to v2.229.0 and make identical changes to the RPM spec as were made in this PR, then build from there. I think it's very likely that I will still run into problems when installing the module itself, as it will likely try to reference types/interfaces from selinux-policy-targeted that don't exist on my system. I can see if I'm able to work through those.
There was a problem hiding this comment.
@lsm5 unfortunately I don't think switching to EL9 or fedora is an option for me.
So does this package no longer support RHEL 8? Is that a recent development? I have been working with the
container-selinux-2:2.229.0-2.module+el8.10.0+22202+761b9a65.noarchRPM, which seems to support RHEL 8 systems. If RHEL 8 is no longer supported, it seems like I won't be able to install this package directly from adnf install.
IIUC, there will be security updates / cve fixes to the versions that are already shipped on active releases of RHEL 8, but highly unlikely that rhel8 will get any new versions of packages. So, you'll probably not see any v2.230 of container-selinux on rhel8.
I would still appreciate build instructions if it's not too much trouble. I can try to revert to
v2.229.0and make identical changes to the RPM spec as were made in this PR, then build from there. I think it's very likely that I will still run into problems when installing the module itself, as it will likely try to reference types/interfaces fromselinux-policy-targetedthat don't exist on my system. I can see if I'm able to work through those.
RE: building yourself, maybe you can try this:
- Clone the rhel8.10 container-seilnux source
- Apply the changes from this PR to the cloned source. You'll probably need to do that manually as patching tools may not cleanly apply
- Fetch source tarball with:
$ spectool -g container-selinux.spec - Build rpm with:
$ rpmbuild -ba container-selinux.spec
|
I think it would be good to include a basic installation test for an MLS env. @rhatdan if you agree I can include a TMT test in a followup PR. |
Helps fix: containers#331 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
Sure having an MLS test, would keep us honest. |
|
Filed #334 to add tests, but I think that need not block merge. |
Helps fix: #331