SELinux RPM scriplet issue annoucement

Michael Schwendt mschwendt at
Sun Jan 19 18:57:19 UTC 2014

On Sun, 19 Jan 2014 20:32:26 +0200, Jonathan Dieter wrote:

> If scriptlet failures weren't fatal, we wouldn't have the problem we
> have now with duplicate packages.  We could have just pushed the selinux
> update,

After installing the previous bad update that breaks scriptlets, how would
you activate the new selinux policy within the fixed package's %post scriptlet?
Instead of updating to the package in permissive mode, you would need to
run the scriptlet contents manually *and* still reinstall any package were
the scriptlets failed.

> [...] then bumped the release for all updates in the last few pushes,
> and then rebuilt them.

How do you know which packages a user has tried to install/update _after_
updating to the bad policy package? It could be any package within the package
collection that would remain installed but broken because of the scriptlets bug.
You assume that users have only applied the few updates following the bad
selinux policy update.

More information about the devel mailing list