search

Richterrettich / rpm-rs

A pure rust library for building and parsing RPM's
Other
39 stars 18 forks source link

selinux policy files support #20

Closed drahnr closed 3 years ago

drahnr commented 3 years ago

A WIP attempt to support selinux policy files.

Will eventually close #18

Richterrettich commented 3 years ago

There seems an issue with the PR, my commits landed on top of yours which is not good from a git history perspective. You can fix this by removing them and then doing a rebase on top of the master branch.

Also: Can you split this PR into two please? The first one for all the small code improvements, fixed spelling errors and dependency updates. And the other one for the actual feature. I think we can merge the first one very soon since it looks good to me at a first glance.

Other then that, this seems a good starting point though.

drahnr commented 3 years ago

There seems an issue with the PR, my commits landed on top of yours which is not good from a git history perspective. You can fix this by removing them and then doing a rebase on top of the master branch.

It's still a draft ;) (done :ballot_box_with_check: )

Also: Can you split this PR into two please? The first one for all the small code improvements, fixed spelling errors and dependency updates. And the other one for the actual feature. I think we can merge the first one very soon since it looks good to me at a first glance.

Done, see #21

drahnr commented 3 years ago

Package spec ref as an anchorpoint for creating an RPM with policy file, https://src.fedoraproject.org/rpms/memcached/blob/6e70f59bdad0ba4cc1a1a7e5abc237d2e2f1c13a/f/memcached.spec - not sure if the policies are actually stored in the header files anymore.

Richterrettich commented 3 years ago

maybe you can ask on the fedora mailing list if this is (or ever was) a common practice to store SELinux policies in RPM headers directly. I've personally never seen a RPM with an encoded SELinux policy to be honest. It would be interesting to get some insight from upstream.

drahnr commented 3 years ago

It seems the support is there and specified, but nobody is using it - it's not used when installed, so it would be a mere "it's impl'd" case rather than a "it's useful case".

See https://github.com/rpm-software-management/rpm/issues/1319#issuecomment-673392751

Richterrettich commented 3 years ago

Ah thanks for taking this upstream.

The partial support is a leftover from attempted policy support, which might some day be reimplemented in a different way, but there are no actual plans to do so.

Maybe we should drop this feature then since it might give the false impression to users that this might actually work or even be best practice.