spec: call semanage in posttrans not in post

Submitted by Uri Lublin on Jan. 29, 2019, 4:40 p.m.

Details

Message ID 20190129164032.5916-1-uril@redhat.com
State New
Headers show
Series "spec: call semanage in posttrans not in post" ( rev: 1 ) in Spice

Not browsing as part of any series.

Commit Message

Uri Lublin Jan. 29, 2019, 4:40 p.m.
It can happen that selinux-policy (targeted) is installed only after
spice-streaming-agent (upon system installation). In that case
running semanage in post scriptlet will fail.

In posttrans all packages are already installed, so it should be
safe to call semanage at that point.

rhbz#1647789

Signed-off-by: Uri Lublin <uril@redhat.com>
---

In a first patch I wrote I also added a condition that
checks if selinuxenabled. If people feel it's better
I'll send a V2 with it.

---
 spice-streaming-agent.spec.in | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
index 5a06e89..6b5ac22 100644
--- a/spice-streaming-agent.spec.in
+++ b/spice-streaming-agent.spec.in
@@ -13,7 +13,7 @@  BuildRequires:  catch-devel
 BuildRequires:  pkgconfig(udev)
 # we need /usr/sbin/semanage program which is available on different
 # packages depending on distribution
-Requires(post): /usr/sbin/semanage
+Requires(posttrans): /usr/sbin/semanage
 Requires(postun): /usr/sbin/semanage
 
 %description
@@ -45,7 +45,9 @@  if test -d "%{buildroot}/%{_libdir}/%{name}/plugins"; then
     find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
 fi
 
-%post
+# See rhbz#1647789 - call semanage in posttrans, not in post
+# and https://fedoraproject.org/wiki/Packaging:Scriptlets
+%posttrans
 semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent 2>/dev/null || :
 restorecon %{_bindir}/spice-streaming-agent || :
 

Comments

On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> It can happen that selinux-policy (targeted) is installed only after
> spice-streaming-agent (upon system installation). In that case
> running semanage in post scriptlet will fail.
> 
> In posttrans all packages are already installed, so it should be
> safe to call semanage at that point.
> 
> rhbz#1647789
> 
> Signed-off-by: Uri Lublin <uril@redhat.com>
> ---
> 
> In a first patch I wrote I also added a condition that
> checks if selinuxenabled. If people feel it's better
> I'll send a V2 with it.
> 
> ---
>  spice-streaming-agent.spec.in | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
> index 5a06e89..6b5ac22 100644
> --- a/spice-streaming-agent.spec.in
> +++ b/spice-streaming-agent.spec.in
> @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
>  BuildRequires:  pkgconfig(udev)
>  # we need /usr/sbin/semanage program which is available on different
>  # packages depending on distribution
> -Requires(post): /usr/sbin/semanage
> +Requires(posttrans): /usr/sbin/semanage
>  Requires(postun): /usr/sbin/semanage
>  
>  %description
> @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins"; then
>      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
>  fi
>  
> -%post
> +# See rhbz#1647789 - call semanage in posttrans, not in post
> +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> +%posttrans
>  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent 2>/dev/null || :
>  restorecon %{_bindir}/spice-streaming-agent || :

I'm curious why these commands are present at all ? The normal way to deal
with this would be to file a bug against the SELinux policy to explicitly
add the spice-streaming-agent binary to the default policy, so that RPM
will set the correct context at install time.

Regards,
Daniel
> On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> > It can happen that selinux-policy (targeted) is installed only after
> > spice-streaming-agent (upon system installation). In that case
> > running semanage in post scriptlet will fail.
> > 
> > In posttrans all packages are already installed, so it should be
> > safe to call semanage at that point.
> > 
> > rhbz#1647789
> > 
> > Signed-off-by: Uri Lublin <uril@redhat.com>
> > ---
> > 
> > In a first patch I wrote I also added a condition that
> > checks if selinuxenabled. If people feel it's better
> > I'll send a V2 with it.
> > 
> > ---
> >  spice-streaming-agent.spec.in | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
> > index 5a06e89..6b5ac22 100644
> > --- a/spice-streaming-agent.spec.in
> > +++ b/spice-streaming-agent.spec.in
> > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> >  BuildRequires:  pkgconfig(udev)
> >  # we need /usr/sbin/semanage program which is available on different
> >  # packages depending on distribution
> > -Requires(post): /usr/sbin/semanage
> > +Requires(posttrans): /usr/sbin/semanage
> >  Requires(postun): /usr/sbin/semanage
> >  
> >  %description
> > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > then
> >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> >  fi
> >  
> > -%post
> > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > +%posttrans
> >  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> >  2>/dev/null || :
> >  restorecon %{_bindir}/spice-streaming-agent || :
> 
> I'm curious why these commands are present at all ? The normal way to deal
> with this would be to file a bug against the SELinux policy to explicitly
> add the spice-streaming-agent binary to the default policy, so that RPM
> will set the correct context at install time.
> 
> Regards,
> Daniel

I think the main reasons are historic. We were not sure about the context
and file name so we end up with manually setting it in the spec.
What the advantages on setting on the global policies?
I see the disadvantage to add the policies in all systems, even if they
won't have these files and the burden of opening all tickets.

Frediano
On Wed, Jan 30, 2019 at 04:05:27AM -0500, Frediano Ziglio wrote:
> > On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> > > It can happen that selinux-policy (targeted) is installed only after
> > > spice-streaming-agent (upon system installation). In that case
> > > running semanage in post scriptlet will fail.
> > > 
> > > In posttrans all packages are already installed, so it should be
> > > safe to call semanage at that point.
> > > 
> > > rhbz#1647789
> > > 
> > > Signed-off-by: Uri Lublin <uril@redhat.com>
> > > ---
> > > 
> > > In a first patch I wrote I also added a condition that
> > > checks if selinuxenabled. If people feel it's better
> > > I'll send a V2 with it.
> > > 
> > > ---
> > >  spice-streaming-agent.spec.in | 6 ++++--
> > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
> > > index 5a06e89..6b5ac22 100644
> > > --- a/spice-streaming-agent.spec.in
> > > +++ b/spice-streaming-agent.spec.in
> > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > >  BuildRequires:  pkgconfig(udev)
> > >  # we need /usr/sbin/semanage program which is available on different
> > >  # packages depending on distribution
> > > -Requires(post): /usr/sbin/semanage
> > > +Requires(posttrans): /usr/sbin/semanage
> > >  Requires(postun): /usr/sbin/semanage
> > >  
> > >  %description
> > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > then
> > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > >  fi
> > >  
> > > -%post
> > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > +%posttrans
> > >  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> > >  2>/dev/null || :
> > >  restorecon %{_bindir}/spice-streaming-agent || :
> > 
> > I'm curious why these commands are present at all ? The normal way to deal
> > with this would be to file a bug against the SELinux policy to explicitly
> > add the spice-streaming-agent binary to the default policy, so that RPM
> > will set the correct context at install time.
> 
> I think the main reasons are historic. We were not sure about the context
> and file name so we end up with manually setting it in the spec.
> What the advantages on setting on the global policies?
> I see the disadvantage to add the policies in all systems, even if they
> won't have these files and the burden of opening all tickets.

Adding to the SELinux policy ensures that security policy additions get
reviewed by the SELinux maintainers. It also ensures that he policy has
the right rules regardless of how the user installs the binary. Not every
distro that uses SELinux uses RPMs, or the RPM spec bundled here. It
would also have avoided the bug you hit here with the race condition.


Regards,
Daniel
> On Wed, Jan 30, 2019 at 04:05:27AM -0500, Frediano Ziglio wrote:
> > > On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> > > > It can happen that selinux-policy (targeted) is installed only after
> > > > spice-streaming-agent (upon system installation). In that case
> > > > running semanage in post scriptlet will fail.
> > > > 
> > > > In posttrans all packages are already installed, so it should be
> > > > safe to call semanage at that point.
> > > > 
> > > > rhbz#1647789
> > > > 
> > > > Signed-off-by: Uri Lublin <uril@redhat.com>
> > > > ---
> > > > 
> > > > In a first patch I wrote I also added a condition that
> > > > checks if selinuxenabled. If people feel it's better
> > > > I'll send a V2 with it.
> > > > 
> > > > ---
> > > >  spice-streaming-agent.spec.in | 6 ++++--
> > > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/spice-streaming-agent.spec.in
> > > > b/spice-streaming-agent.spec.in
> > > > index 5a06e89..6b5ac22 100644
> > > > --- a/spice-streaming-agent.spec.in
> > > > +++ b/spice-streaming-agent.spec.in
> > > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > > >  BuildRequires:  pkgconfig(udev)
> > > >  # we need /usr/sbin/semanage program which is available on different
> > > >  # packages depending on distribution
> > > > -Requires(post): /usr/sbin/semanage
> > > > +Requires(posttrans): /usr/sbin/semanage
> > > >  Requires(postun): /usr/sbin/semanage
> > > >  
> > > >  %description
> > > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > > then
> > > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > > >  fi
> > > >  
> > > > -%post
> > > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > > +%posttrans
> > > >  semanage fcontext -a -t xserver_exec_t
> > > >  %{_bindir}/spice-streaming-agent
> > > >  2>/dev/null || :
> > > >  restorecon %{_bindir}/spice-streaming-agent || :
> > > 
> > > I'm curious why these commands are present at all ? The normal way to
> > > deal
> > > with this would be to file a bug against the SELinux policy to explicitly
> > > add the spice-streaming-agent binary to the default policy, so that RPM
> > > will set the correct context at install time.
> > 
> > I think the main reasons are historic. We were not sure about the context
> > and file name so we end up with manually setting it in the spec.
> > What the advantages on setting on the global policies?
> > I see the disadvantage to add the policies in all systems, even if they
> > won't have these files and the burden of opening all tickets.
> 
> Adding to the SELinux policy ensures that security policy additions get
> reviewed by the SELinux maintainers. It also ensures that he policy has
> the right rules regardless of how the user installs the binary. Not every
> distro that uses SELinux uses RPMs, or the RPM spec bundled here. It
> would also have avoided the bug you hit here with the race condition.
> 
> 
> Regards,
> Daniel

How is possible to open such a bug?
Which project?
Do you have an example?

Frediano
On Thu, Jan 31, 2019 at 10:05:58AM -0500, Frediano Ziglio wrote:
> > On Wed, Jan 30, 2019 at 04:05:27AM -0500, Frediano Ziglio wrote:
> > > > On Tue, Jan 29, 2019 at 06:40:32PM +0200, Uri Lublin wrote:
> > > > > It can happen that selinux-policy (targeted) is installed only after
> > > > > spice-streaming-agent (upon system installation). In that case
> > > > > running semanage in post scriptlet will fail.
> > > > > 
> > > > > In posttrans all packages are already installed, so it should be
> > > > > safe to call semanage at that point.
> > > > > 
> > > > > rhbz#1647789
> > > > > 
> > > > > Signed-off-by: Uri Lublin <uril@redhat.com>
> > > > > ---
> > > > > 
> > > > > In a first patch I wrote I also added a condition that
> > > > > checks if selinuxenabled. If people feel it's better
> > > > > I'll send a V2 with it.
> > > > > 
> > > > > ---
> > > > >  spice-streaming-agent.spec.in | 6 ++++--
> > > > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > > > 
> > > > > diff --git a/spice-streaming-agent.spec.in
> > > > > b/spice-streaming-agent.spec.in
> > > > > index 5a06e89..6b5ac22 100644
> > > > > --- a/spice-streaming-agent.spec.in
> > > > > +++ b/spice-streaming-agent.spec.in
> > > > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > > > >  BuildRequires:  pkgconfig(udev)
> > > > >  # we need /usr/sbin/semanage program which is available on different
> > > > >  # packages depending on distribution
> > > > > -Requires(post): /usr/sbin/semanage
> > > > > +Requires(posttrans): /usr/sbin/semanage
> > > > >  Requires(postun): /usr/sbin/semanage
> > > > >  
> > > > >  %description
> > > > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > > > then
> > > > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > > > >  fi
> > > > >  
> > > > > -%post
> > > > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > > > +%posttrans
> > > > >  semanage fcontext -a -t xserver_exec_t
> > > > >  %{_bindir}/spice-streaming-agent
> > > > >  2>/dev/null || :
> > > > >  restorecon %{_bindir}/spice-streaming-agent || :
> > > > 
> > > > I'm curious why these commands are present at all ? The normal way to
> > > > deal
> > > > with this would be to file a bug against the SELinux policy to explicitly
> > > > add the spice-streaming-agent binary to the default policy, so that RPM
> > > > will set the correct context at install time.
> > > 
> > > I think the main reasons are historic. We were not sure about the context
> > > and file name so we end up with manually setting it in the spec.
> > > What the advantages on setting on the global policies?
> > > I see the disadvantage to add the policies in all systems, even if they
> > > won't have these files and the burden of opening all tickets.
> > 
> > Adding to the SELinux policy ensures that security policy additions get
> > reviewed by the SELinux maintainers. It also ensures that he policy has
> > the right rules regardless of how the user installs the binary. Not every
> > distro that uses SELinux uses RPMs, or the RPM spec bundled here. It
> > would also have avoided the bug you hit here with the race condition.
> > 
> 
> How is possible to open such a bug?
> Which project?

Normally it would be a bug against 'selinux-policy' component, either in
a Fedora, or a RHEL product, or even both.

> Do you have an example?

https://bugzilla.redhat.com/show_bug.cgi?id=488232
https://bugzilla.redhat.com/show_bug.cgi?id=1311606

Regards,
Daniel
> 
> It can happen that selinux-policy (targeted) is installed only after
> spice-streaming-agent (upon system installation). In that case
> running semanage in post scriptlet will fail.
> 
> In posttrans all packages are already installed, so it should be
> safe to call semanage at that point.
> 
> rhbz#1647789
> 
> Signed-off-by: Uri Lublin <uril@redhat.com>
> ---
> 
> In a first patch I wrote I also added a condition that
> checks if selinuxenabled. If people feel it's better
> I'll send a V2 with it.
> 

I see no reason why adding to selinux-policy should be a stopover
for this fix in the meanwhile.

Acked-by: Frediano Ziglio <fziglio@redhat.com>

Frediano

> ---
>  spice-streaming-agent.spec.in | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
> index 5a06e89..6b5ac22 100644
> --- a/spice-streaming-agent.spec.in
> +++ b/spice-streaming-agent.spec.in
> @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
>  BuildRequires:  pkgconfig(udev)
>  # we need /usr/sbin/semanage program which is available on different
>  # packages depending on distribution
> -Requires(post): /usr/sbin/semanage
> +Requires(posttrans): /usr/sbin/semanage
>  Requires(postun): /usr/sbin/semanage
>  
>  %description
> @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins"; then
>      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
>  fi
>  
> -%post
> +# See rhbz#1647789 - call semanage in posttrans, not in post
> +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> +%posttrans
>  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
>  2>/dev/null || :
>  restorecon %{_bindir}/spice-streaming-agent || :
>
On Tue, Feb 05, 2019 at 09:30:39AM -0500, Frediano Ziglio wrote:
> > 
> > It can happen that selinux-policy (targeted) is installed only after
> > spice-streaming-agent (upon system installation). In that case
> > running semanage in post scriptlet will fail.
> > 
> > In posttrans all packages are already installed, so it should be
> > safe to call semanage at that point.
> > 
> > rhbz#1647789
> > 
> > Signed-off-by: Uri Lublin <uril@redhat.com>
> > ---
> > 
> > In a first patch I wrote I also added a condition that
> > checks if selinuxenabled. If people feel it's better
> > I'll send a V2 with it.
> > 
> 
> I see no reason why adding to selinux-policy should be a stopover
> for this fix in the meanwhile.
> 
> Acked-by: Frediano Ziglio <fziglio@redhat.com>

Ensuring that a bug is fixed in the right place, and explaining this in
the commit log should be a stopper though.

Christophe

> 
> Frediano
> 
> > ---
> >  spice-streaming-agent.spec.in | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/spice-streaming-agent.spec.in b/spice-streaming-agent.spec.in
> > index 5a06e89..6b5ac22 100644
> > --- a/spice-streaming-agent.spec.in
> > +++ b/spice-streaming-agent.spec.in
> > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> >  BuildRequires:  pkgconfig(udev)
> >  # we need /usr/sbin/semanage program which is available on different
> >  # packages depending on distribution
> > -Requires(post): /usr/sbin/semanage
> > +Requires(posttrans): /usr/sbin/semanage
> >  Requires(postun): /usr/sbin/semanage
> >  
> >  %description
> > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins"; then
> >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> >  fi
> >  
> > -%post
> > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > +%posttrans
> >  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> >  2>/dev/null || :
> >  restorecon %{_bindir}/spice-streaming-agent || :
> >  
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
> On Tue, Feb 05, 2019 at 09:30:39AM -0500, Frediano Ziglio wrote:
> > > 
> > > It can happen that selinux-policy (targeted) is installed only after
> > > spice-streaming-agent (upon system installation). In that case
> > > running semanage in post scriptlet will fail.
> > > 
> > > In posttrans all packages are already installed, so it should be
> > > safe to call semanage at that point.
> > > 
> > > rhbz#1647789
> > > 
> > > Signed-off-by: Uri Lublin <uril@redhat.com>
> > > ---
> > > 
> > > In a first patch I wrote I also added a condition that
> > > checks if selinuxenabled. If people feel it's better
> > > I'll send a V2 with it.
> > > 
> > 
> > I see no reason why adding to selinux-policy should be a stopover
> > for this fix in the meanwhile.
> > 
> > Acked-by: Frediano Ziglio <fziglio@redhat.com>
> 
> Ensuring that a bug is fixed in the right place, and explaining this in
> the commit log should be a stopper though.
> 
> Christophe
> 

It's not clear what you are suggesting.
Adding a sentence in the commit message?

> > 
> > Frediano
> > 
> > > ---
> > >  spice-streaming-agent.spec.in | 6 ++++--
> > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/spice-streaming-agent.spec.in
> > > b/spice-streaming-agent.spec.in
> > > index 5a06e89..6b5ac22 100644
> > > --- a/spice-streaming-agent.spec.in
> > > +++ b/spice-streaming-agent.spec.in
> > > @@ -13,7 +13,7 @@ BuildRequires:  catch-devel
> > >  BuildRequires:  pkgconfig(udev)
> > >  # we need /usr/sbin/semanage program which is available on different
> > >  # packages depending on distribution
> > > -Requires(post): /usr/sbin/semanage
> > > +Requires(posttrans): /usr/sbin/semanage
> > >  Requires(postun): /usr/sbin/semanage
> > >  
> > >  %description
> > > @@ -45,7 +45,9 @@ if test -d "%{buildroot}/%{_libdir}/%{name}/plugins";
> > > then
> > >      find %{buildroot}/%{_libdir}/%{name}/plugins -name '*.la' -delete
> > >  fi
> > >  
> > > -%post
> > > +# See rhbz#1647789 - call semanage in posttrans, not in post
> > > +# and https://fedoraproject.org/wiki/Packaging:Scriptlets
> > > +%posttrans
> > >  semanage fcontext -a -t xserver_exec_t %{_bindir}/spice-streaming-agent
> > >  2>/dev/null || :
> > >  restorecon %{_bindir}/spice-streaming-agent || :
> > >
On Tue, Feb 05, 2019 at 01:24:38PM -0500, Frediano Ziglio wrote:
> > On Tue, Feb 05, 2019 at 09:30:39AM -0500, Frediano Ziglio wrote:
> > > > 
> > > > It can happen that selinux-policy (targeted) is installed only after
> > > > spice-streaming-agent (upon system installation). In that case
> > > > running semanage in post scriptlet will fail.
> > > > 
> > > > In posttrans all packages are already installed, so it should be
> > > > safe to call semanage at that point.
> > > > 
> > > > rhbz#1647789
> > > > 
> > > > Signed-off-by: Uri Lublin <uril@redhat.com>
> > > > ---
> > > > 
> > > > In a first patch I wrote I also added a condition that
> > > > checks if selinuxenabled. If people feel it's better
> > > > I'll send a V2 with it.
> > > > 
> > > 
> > > I see no reason why adding to selinux-policy should be a stopover
> > > for this fix in the meanwhile.
> > > 
> > > Acked-by: Frediano Ziglio <fziglio@redhat.com>
> > 
> > Ensuring that a bug is fixed in the right place, and explaining this in
> > the commit log should be a stopper though.
> > 
> > Christophe
> > 
> 
> It's not clear what you are suggesting.
> Adding a sentence in the commit message?

Did we file a selinux bug asking for this addition?
If yes, where is this bug?
And yes, if the right fix is for this hypothetical bug to be fixed, then
this should be explained in the commit log.

However, I think spice-streaming-agent is not yet available in Fedora ?
In which case it would be too early for the aforementioned bug I think
:-/

Christophe