[Rpm-maint] [PATCH 11/19] Parse new policy requires header and check policy dependencies
Panu Matilainen
pmatilai at laiskiainen.org
Thu Mar 4 10:56:55 UTC 2010
On Tue, 2 Feb 2010, Steve Lawrence wrote:
> After a policy set has been prepared (rpmpolsPrepare), a call to
> rpmpolsCheckDeps will determine if PolicyReuqires: dependencies are met.
> This function only checks against packages currently installed.
>
> Also, PolicyRequires are merged into Requires, so if normal dependency
> checks pass, we know the PolicyRequries packages will be installed by the
> end of the transaction.
The policy/module dependencies seem strangely familiar to me... obsoletes,
conflicts and requires. It should be possible to map them to the existing
dependency information, adding a parallel set of selinux (or anything else
for that matter) specific dependencies looks like road to madness to me.
Here's an idea, related to the pseudo-package issue too:
Instead of creating a parallel universe of dependencies and
pseudo-packages, turn the policy/module bits into transaction elements and
have them processed business as usual. Something in the lines of: detect
the presence of selinux modules in a package in rpmtsAddInstallElement()
create a header of the policy bits and add another transaction
element for it. That way the dependencies etc will get processed along
with everything else, instead of requiring a whole new set of things.
Or so the theory goes - sure it's going to need various enhancements here
and there, such as probably a new element type-bit so added policies would
be something like (TR_ADDED|TR_POLICY) and filter in various places etc.
And actually the case of pseudo-package generation here is a sub-case of
more generic "package(s) within a package" idiom which comes up every now
and then. If the policy parts were stored (at package build-time) in a
header of their own, nested inside the main package header (a header is
just binary data and headers can contain such data),
rpmtsAddInstallElement() could basically just grab the policy header and
call itself to add another element from it, no need for runtime
transformations of dependency and other data.
Again, so the theory goes. I've no doubt various internals will need
tweaking to make it possible in practise.
BTW one very real issue with storing policies in headers (nested or not)
is that the header size is currently capped at 16MB, and people are
already hitting that limit occasionally. It takes a huge number of files
to reach that, but adding arbitrary amount of selinux modules into the
header is not going to do anything to help. The limit needs raising sooner
than later anyway, but packages with headers bigger than 16MB will be
unreadable by every rpm currently deployed, and there's no way to add a
nice little feature-tracking dependency for it.
- Panu -
More information about the Rpm-maint
mailing list