[Rpm-maint] [PATCH 2/6] Add new %sepolicy section to the spec file format
Panu Matilainen
pmatilai at laiskiainen.org
Mon Jul 26 10:57:54 UTC 2010
On Wed, 14 Jul 2010, Steve Lawrence wrote:
> The %sepolicy section is used to describe SELinux policy to be included
> in a package. It's syntax is similar to other sections (%files, %pre,
> %post, etc.) in that you can provide a string and -n after the
> declaration to specify policy should be added to a subpackage.
>
> For example:
>
> %sepolicy
> # policy in this section will be added to the main package
>
> %sepolicy foo
> # policy in this section will be added to the '<mainpackage>-foo' subpackage
>
> %sepolicy -n bar
> # policy in this section will be added to the 'bar' subpackage
>
> The %sepolicy section contains zero or more %module directives, each of
> which specifies a path into the build directory of a policy file, for
> example:
>
> %module policies/foo.pp
> %module policies/bar.pp
>
> After each %module directive can be zero or more options, specified in
> the same format as Preamble tags. The current options are:
>
> Base: Whether or not the module is a base module. Values can be
> yes/1 or no/0. Defaults to no/0 if not given.
>
> Name: The name of the module. If not given, we assume the name is
> the basename of the module file with file extensions removed.
>
> Types: One or more space-separated strings specifying which policy
> types the module can work with. To explicitly state that a module
> can work with any policy type, "default" can be specified as
> the value. If not specified, we assume the module can work with
> any policy type, and assign the types as "default".
>
> Spaces before and after the %module directive and options are ignored.
> Options always apply to the previously defined %module directive.
>
> Below is an example of this new format:
>
> %sepolicy
> %module policy/foo.pp
> Name: foo
> Types: mls
> %module policy/bar.pp
> Name: bar
> Types: strict targeted mls
> Base: yes
Since these are "options", why not actually make them options to the
%module directive? Eg
%module -n foo policy/foo.pp
%module -n bar -b policy/bar.pp
..where -n stands for the optional name, and -b for "base". Types might
make more sense as it is, but OTOH "-t strict,targeted,mls" would be just
as well I think. Also offloading the option parsing to popt should
simplify the code somewhat too.
Especially I'm concerned with the overloading of "Name", I didn't look up
the code whether it ends up redefining %{name} macro (which would likely
break some specs) or not, but in any case it looks like an unnecessary
ambiguity.
- Panu -
More information about the Rpm-maint
mailing list