Bugzilla – Bug 1223538
[SELinux] Installing selinux-policy-targeted with recommends enabled brings in 600 packages
Last modified: 2024-05-02 13:09:55 UTC
Created attachment 874561 [details] Zypper output from a fresh distrobox container Operating System: openSUSE Tumbleweed SELinux status, mode and policy name: Enabled, Enforcing, Targeted SELinux policy version and repository: 20240321-1.2 When trying to install selinux-policy-targeted on fresh installation with recommends turned ON, zypper wants to install ~600 packages, some of which are: - CMake - Jupyter - pandoc-cli (with all ghc-* requirements it has) - Qt 6 Did some digging and found that one of the problematic chain is the following: 1. selinux requires policycoreutils >= 3.6 2. policycoreutils recommends setools-console 3. setools-console requires python3-setools = 4.5.0 4. python3-setools requires python3-networkx 5. python3-networkx seems to be the problematic dependency Another is the following: 1. Any package providing a policy using %{selinux_requires} will require policycoreutils-python-utils 2. policycoreutils-python-utils requires python3-policycoreutils 3. python3-policycoreutils requires python3-setools 4. python3-setools requires python3-networkx 5. python3-networkx seems to be the problematic dependency This happens also when running DUP on a box with Tumbleweed and SElinux already installed (last update was ~2 weeks ago).
The networkx python package is just problematic. It was already set as optional by upstream in the past, then inadvertently turned back to required by upstream in release 5.6.0. Cathy already reported this: https://github.com/SELinuxProject/setools/pull/126 and a more general fix was just merged by upstream: https://github.com/SELinuxProject/setools/pull/128 Not sure how long it will take for upstream to release that fix into a new version. Perhaps we can come up with an interim solution like changing the python3-setools "Require: python3-networkx" into a Suggests (I think that dependency would be weak enough?) in our own packaging. Let me revisit this tomorrow
Sorry, wrong copy-paste. The fix is on its way to Factory in https://build.opensuse.org/request/show/1171339 In the meantime, if you want you can test by installing setools from the devel project https://build.opensuse.org/package/show/security:SELinux/setools
(In reply to Filippo Bonazzi from comment #3) > Sorry, wrong copy-paste. > > The fix is on its way to Factory in > https://build.opensuse.org/request/show/1171339 > > In the meantime, if you want you can test by installing setools from the > devel project > https://build.opensuse.org/package/show/security:SELinux/setools Tested installing selinux-policy on a fresh distrobox container with the devel repo enabled and can confirm that now it pulls down what is expected (40-ish packages and ~100MB of installed size). I am attaching the zypper output in any case, if you want to check it.
Created attachment 874623 [details] Zypper output with networkx as suggets
Yeah that looks right. I'll keep tabs on the Factory request until it's merged. I'm closing this bug now, but feel free to reopen if the issue should persist.