SELinux RPM scriplet issue annoucement

Jonathan Dieter jdieter at
Sun Jan 19 20:20:54 UTC 2014

On Jan 19, 2014 8:57 PM, "Michael Schwendt" <mschwendt at> wrote:
> On Sun, 19 Jan 2014 20:32:26 +0200, Jonathan Dieter wrote:
> > If scriptlet failures weren't fatal, we wouldn't have the problem we
> > have now with duplicate packages.  We could have just pushed the selinux
> > update,
> After installing the previous bad update that breaks scriptlets, how would
> you activate the new selinux policy within the fixed package's %post
> Instead of updating to the package in permissive mode, you would need to
> run the scriptlet contents manually *and* still reinstall any package were
> the scriptlets failed.

I was focusing on the fact that scriptlet failures lead to duplicates in
the rpm database, but, you're right, it's not the main problem.

I still think there's a good case for making scriptlet errors non - fatal,
but, in this situation, it would have had a minimal benefit.

> > [...] then bumped the release for all updates in the last few pushes,
> > and then rebuilt them.
> How do you know which packages a user has tried to install/update _after_
> updating to the bad policy package? It could be any package within the
> collection that would remain installed but broken because of the
scriptlets bug.
> You assume that users have only applied the few updates following the bad
> selinux policy update.

ACK. I didn't think this part through properly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the devel mailing list