[Rpm-maint] [PATCH 2/6] Add new %sepolicy section to the spec file format

Panu Matilainen pmatilai at laiskiainen.org
Wed Aug 18 11:09:49 UTC 2010


On Fri, 30 Jul 2010, Steve Lawrence wrote:

> On Mon, 2010-07-26 at 13:57 +0300, Panu Matilainen wrote:
>> On Wed, 14 Jul 2010, Steve Lawrence wrote:
>>
>>> The %sepolicy section is used to describe SELinux policy to be included
>>> in a package. It's syntax is similar to other sections (%files, %pre,
>>> %post, etc.) in that you can provide a string and -n after the
>>> declaration to specify policy should be added to a subpackage.
>>>
>>> For example:
>>>
>>> %sepolicy
>>> # policy in this section will be added to the main package
>>>
>>> %sepolicy foo
>>> # policy in this section will be added to the '<mainpackage>-foo' subpackage
>>>
>>> %sepolicy -n bar
>>> # policy in this section will be added to the 'bar' subpackage
>>>
>>> The %sepolicy section contains zero or more %module directives, each of
>>> which specifies a path into the build directory of a policy file, for
>>> example:
>>>
>>> %module policies/foo.pp
>>> %module policies/bar.pp
>>>
>>> After each %module directive can be zero or more options, specified in
>>> the same format as Preamble tags. The current options are:
>>>
>>> Base:   Whether or not the module is a base module. Values can be
>>>        yes/1 or no/0. Defaults to no/0 if not given.
>>>
>>> Name:   The name of the module. If not given, we assume the name is
>>>        the basename of the module file with file extensions removed.
>>>
>>> Types:  One or more space-separated strings specifying which policy
>>>        types the module can work with. To explicitly state that a module
>>>        can work with any policy type, "default" can be specified as
>>>        the value. If not specified, we assume the module can work with
>>>        any policy type, and assign the types as "default".
>>>
>>> Spaces before and after the %module directive and options are ignored.
>>> Options always apply to the previously defined %module directive.
>>>
>>> Below is an example of this new format:
>>>
>>> %sepolicy
>>> %module policy/foo.pp
>>>   Name: foo
>>>   Types: mls
>>> %module policy/bar.pp
>>>   Name: bar
>>>   Types: strict targeted mls
>>>   Base: yes
>>
>> Since these are "options", why not actually make them options to the
>> %module directive? Eg
>>
>> %module -n foo policy/foo.pp
>>
>> %module -n bar -b policy/bar.pp
>>
>> ..where -n stands for the optional name, and -b for "base". Types might
>> make more sense as it is, but OTOH "-t strict,targeted,mls" would be just
>> as well I think. Also offloading the option parsing to popt should
>> simplify the code somewhat too.
>>
>> Especially I'm concerned with the overloading of "Name", I didn't look up
>> the code whether it ends up redefining %{name} macro (which would likely
>> break some specs) or not, but in any case it looks like an unnecessary
>> ambiguity.
>>
>>  	- Panu -
>
> The code doesn't redefine the %{name} macro, but we have no problem
> making the change. You're right in that it should simplify the parsing
> quite a bit. We'll make this change.

Ok, thanks. One more thing I missed on previous round: please rename 
the "%module" directive to something like "%semodule" to make it obviously 
selinux-specific (we might want to use "%module" for something more 
generic at some point).

 	- Panu -


More information about the Rpm-maint mailing list