[Rpm-maint] [RFC] Change to Packing Uninstallation Ordering

Steve Lawrence slawrence at tresys.com
Mon May 10 21:27:28 UTC 2010


After digging into the design of our new Collection idea [1] a bit more,
we've realized there are potential ordering problems with the SELinux
part of collections, specifically with upgrades and obsoletes. For
example, assume we already have foo-1.rpm and foo-policy-1.rpm installed
and we are upgrading both packages to version 2. Currently, RPM would
order the upgrade transaction like this:

1. ADD     foo-policy-2
2. ADD     foo-2
3. REMOVE  foo-1
4. REMOVE  foo-policy-1

RPM first performs all adds, then all removals. This means that the
sepolicy collection plugin wouldn't be triggered until after step 4,
when the last member of the sepolicy collection is handled. This means
that when foo-2 is added, the policy from foo-policy-2.rpm won't be
loaded yet, resulting in a potential for files with incorrect SELinux
labels.

Ideally, the ordering would be done like this instead:

1. ADD     foo-policy-2
2. REMOVE  foo-policy-1
3. ADD     foo-2
4. REMOVE  foo-1

The idea is that all removals are performed immediately after the new
package is added rather than at the end of the transaction. In this
case, policy would be loaded after step 2, and foo-2 would be installed
with the correct SELinux labels.

It seems to us that this change in ordering shouldn't break anything.
Though, it looks like this ordering was done very deliberately, so maybe
there are some corner cases or something we are missing.

Thoughts?

- Steve

[1] http://lists.rpm.org/pipermail/rpm-maint/2010-April/002697.html


More information about the Rpm-maint mailing list