Keep/Remove Python dependent package: setools-console

[sinnykumari]

FCOS community members are trying not to ship Python in base system. In ticket #92, we have identified list of Python dependent packages which are currently installed in FCOS.

This ticket is to investigate that do we really need setools-console in FCOS base system? If yes, how can we provide setools-console or equivalent functionalities without shipping Python.

[sinnykumari]

setools-console rpm package provides three utilities to analyze selinux policies:
/usr/bin/sediff
/usr/bin/seinfo
/usr/bin/sesearch

All three utilities requires Python.
Do we really need these utilities on FCOS base system? If possible maybe user can use fedora-toolbox to get selinux policies related information of Host machine?

[dustymabe]

hmm. They are not utilities I regularly use, but I'm only a sample size of 1. I think we can make it without them.

@jlebon @cgwalters @bgilbert - WDYT?

[bgilbert]

I'm okay omitting them.

[ajeddeloh]

They are all tools for querying info about the SELinux policy, not changing it. So while they might be useful for debugging they aren't needed to actually run the system or even make changes. Interestingly it looks like setools didn't use to require python but now does. We ship setools on CL, its just old enough to not need python.

[jlebon]

SGTM. I've only used sesearch of those, which is indeed nice for debugging. Though most SELinux issues don't require going that far.

[ajeddeloh]

I don't know so, but I'm just going to assume SELinux tools don't containerize well.

[sinnykumari]

Let's finalize in today's FCOS community meeting if we are ok with not having setools-console package in FCOS

[dustymabe]

@lucab brought up that some packages might be depending on this information for rpm scriptlets. While not a comprehensive answer at least on Fedora 29 Atomic Host it doesn't appear any scriptlets excute those utilities:

[dustymabe@dhcp137-98 annex]$ rpm -qa --scripts | grep sesearch
[dustymabe@dhcp137-98 annex]$ rpm -qa --scripts | grep sediff
[dustymabe@dhcp137-98 annex]$ rpm -qa --scripts | grep seinfo

[dustymabe]

Discussed in the meeting today.

We are going to try to exclude setools-console package and see where we land.

One requested followup by @lucab is to try to run those packages inside a container with appropriate bind mounts and verify they can be used containerized. @sinnykumari can you try that?

[sinnykumari]

Thanks Dusty! will try running setools-console tools in container and will update here.

[dustymabe]

Thanks Dusty! will try running setools-console tools in container and will update here.

might as well try semanage as well for #126