[Rpm-maint] [PATCH v2 3/5] Add common Collection requirements
Steve Lawrence
slawrence at tresys.com
Wed Jun 23 14:50:48 UTC 2010
On Wed, 2010-06-23 at 11:13 +0300, Panu Matilainen wrote:
> On Tue, 22 Jun 2010, Steve Lawrence wrote:
>
> > On Tue, 2010-06-22 at 12:12 +0300, Panu Matilainen wrote:
> >> On Mon, 21 Jun 2010, Steve Lawrence wrote:
> >>
> >>> This patch adds the install-time feature that if a package requires a
> >>> package in a collection, then it also requires all other packages in
> >>> that collection. This has the effect that collections will be roughly
> >>> grouped together during a transaction.
> >>>
> >>> Although this is not absolutely necessary for the majority of
> >>> collections, it is required for the SELinux collection. This is because
> >>> all SELinux policies must be installed before the applications they
> >>> secure to ensure correct labels. This means we must ensure packages in
> >>> the selinux collection are ordered earlier in the transaction than all
> >>> applications they protect. Adding this implicit runtime requirements
> >>> achieves this in a general manner, without major modifications to
> >>> dependency ordering.
> >>
> >> It can have the effect of creating gigantic dependency loops, causing
> >> severe ordering problems elsewhere (playing around with a quick-n-dirty
> >> runtime hack to generate ldconfig-collection and subscribing all packages
> >> providing sonames to it). In the library-case, the extra grouping makes
> >> pretty much everything pre-require everything else and poor rpm ending up
> >> ripping them apart again the best it can, with *cough* less than optimal
> >> results :)
> >
> > I hadn't thought of the ldconfig case. I imagine your right.
>
> The ldconfig case is probably close to worst-case scenario, but similar
> issues are likely to be present for any "real" packages which have
> scriptlets and dependencies for them.
>
> >> Of course packages with libraries are a wildly different situation from
> >> selinux policies. It's quite possible we'll need some additional flags to
> >> control collection behavior - some cases absolutely require some special
> >> ordering, for others it might be not just unnecessary but actually harmful
> >> too.
> >>
> >> I suppose moving the collection ownership to packages would help here:
> >> packages in a collection would then just require the collection owner
> >> instead to accomplish rough grouping in ordering without adding too many
> >> extra dependency loops. Packages belonging to several collections might
> >> prove "interesting" here though...
> >>
> >
> > I don't think requiring the collection owner would help much in the case
> > of selinux. It would ensure that the policies get installed after the
> > collection owner, but it wouldn't ensure that all policies get installed
> > before all applications they protect, which is necessary for labeling to
> > be correct.
>
> Hmm, this sounds somewhat familiar... isn't this basically a case of "if
> these packages are present in transaction, order them before me but do not
> actually require them"? The kernel/initrd folks have been requesting such
> a feature for a long time. If we can do this in a way that serves both,
> all the better.
>
> Not sure if you've decided something concrete on the outcome of the
> previous selinux policy packaging discussion (thread starting at
> http://lists.rpm.org/pipermail/rpm-maint/2010-April/002698.html) but for
> at least some of the variants something like this seems workable:
Yes, we've decided we would split all policy into a separate *-policy
packages with the main package requiring it. So apache-policy contains
all policies (mls, targeted, etc) and apache requires apache-policy.
> Taking again apache and its policy/policies as an example...
> If either all the policies are included in a single package, or provide a
> common thing regardless of the variant, then the main apache package could
> have something like this (ignore the exact spec syntax for now):
>
> Requires(order): apache-policy
>
> ...which creates a kind of soft dependency between apache-policy and
> apachge, which dependency resolution ignores but ordering takes into
> account as if it were a real dependency, ie anything providing
> "apache-policy" needs installing before "apache" itself.
>
> IF this kind of approach works for selinux policies then it's not even
> collection specific, it'd be just a common mechanism which collections
> use, and kernel/initrd folks would be happy too.
It seems like this could work. So if I understand it correctly, a more
complicated selinux example with two packages, each with a policy, might
look like this?
foo-policy:
Requires: collection(selinux-policies)
Provides: sepolicy
bar-policy:
Requires: collection(selinux-policies)
Provides: sepolicy
foo:
Requires: foo-policy
Requires(order): sepolicy
bar:
Requires: bar-policy
Requires(order): sepolicy
selinux-policy:
Provides: collection(selinux-policies)
%collection selinux-policies -p <plugin:sepolicy.so>
Which should order the {foo,bar}-policy packages before both foo and bar
and should trigger the sepolicy plugin at the right time.
> > I think your flag idea would probably be the best way to enable this
> > ordering for select collections. Maybe adding a %collection specific
> > option, specified by the owner, e.g.
> >
> > %collection selinux-policy -o groupCollection -p <plugin:selinux.so>
> >
> > Though, multiple collection owners with conflicting orderings could be a
> > problem. Maybe Conflicts could be used to prevent something like that.
> > And I guess that wouldn't be very hard to automatically detect at the
> > beginning of a transaction, and just abort early.
>
> Multiple collection owners might be best handled as conflicts anyway...
> but we'll see.
>
> - Panu -
More information about the Rpm-maint
mailing list