remove obsolete selinux modules #23568
Conversation
Pull Request assignmentSubmitter: @plsph sec-policy/selinux-base-policy: @gentoo/selinux Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers. Missing GCO sign-offPlease read the terms of Gentoo Certificate of Origin and acknowledge them by adding a sign-off to all your commits. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
gentoo-bot
added
assigned
Pull request CI reportReport generated at: 2021-12-29 20:11 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
plsph
force-pushed
the
remove_obsolete_selinux_modules
branch
from
df04fd5
to
e409b5d
Compare
Pull request CI reportReport generated at: 2021-12-30 14:25 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
| @@ -27,6 +27,7 @@ BDEPEND=" | |||
| sys-apps/checkpolicy | |||
| sys-devel/m4" | |||
|
|
|||
| OLD_MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" | |||
There was a problem hiding this comment.
ooh good catch on the hotplug removal. This mostly looks good but i think i'd rather change OLD_MODS to just be the list of modules to remove instead of needing to be a copy of all of them. that'd be less of a maintenance burden i think,
The issue is I have bumps scripted so copying MODS to OLD_MODS is complicated. also I'll keep the modules to remove list for at least a years worth of packages just in case someone does not update regularly and skips some versions
can we change this to OLD_MODS="hotplug" (or maybe DEL_MODS is nicer?)
There was a problem hiding this comment.
Sure, no problem, that just need to be aligned with upstream to keep DEL_MODS list up to date.
| @@ -105,12 +107,26 @@ pkg_postinst() { | |||
| COMMAND="${COMMAND} -i ${i}.pp" | |||
| done | |||
|
|
|||
| for i in ${OLD_MODS}; do | |||
| if [ -n "${MODS##*$i*}" ]; then | |||
| DEL_MODS="${DEL_MODS} ${i}" | |||
There was a problem hiding this comment.
Once the line above is changed to just the list of modules to remove then this loop can be changed to die instead.
maybe something like:
for i in ${OLD_MODS}; do
[[ ${MODS} != *${i}* ]] || die "Duplicate module in MODS and OLD_MODS: ${i}"
done
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
plsph
force-pushed
the
remove_obsolete_selinux_modules
branch
from
7d9c2b8
to
922deb3
Compare
|
Sorry for force push, I keep forgeting about Certificate of Origin. |
| @@ -27,6 +27,7 @@ BDEPEND=" | |||
| sys-apps/checkpolicy | |||
| sys-devel/m4" | |||
|
|
|||
| DEL_MODS="hotplug" | |||
There was a problem hiding this comment.
Tiny nit: I think DEL_MODS should go underneath MODS
Pull request CI reportReport generated at: 2022-01-01 17:25 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
Pull request CI reportReport generated at: 2022-01-01 22:11 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
About the DCO, it looks like your git is misconfigured, i had to use I made some minor changes:
Happy New Year and Thanks for the PR! |
Add cleanup actions to post installation step by identifying removed modules from OLD_MODS list, that is copy from previous ebuild and remove it from selinux module store if installed.
One must maintain OLD_MODS list on each new ebuild by copying it from previous MODS list.