Bug 1182304

Summary: incorrect specification of ghost file mlocate.db in mlocate package
Product: Red Hat Enterprise Linux 6 Reporter: Paulo Andrade <pandrade>
Component: mlocateAssignee: Michal Sekletar <msekleta>
Status: CLOSED ERRATA QA Contact: Stefan Kremen <skremen>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.6CC: pandrade, skremen
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: mlocate package wrongly claimed that its database file has owner:group equal to root:root and permission are 644. However database file is not shipped in rpm package it self and it is created with root:slocate 640 permissions. Consequence: Openscap tools are reporting this problem. Fix: Adjusted permissions in mlocate spec file. Result: Openscap tools should not issue warnings and rpm database will reflect actual state of database file on the system.
 Story Points: ---
Clone Of:
: 1185798 (view as bug list) Environment:
Last Closed: 2015-03-12 09:00:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1182306, 1182307, 1185798    

Description Paulo Andrade 2015-01-14 20:17:59 UTC 
The mlocate rpm correctly defines mlocate.db to be a ghost file. However it is incorrectly stated that this file is owned by group root and that the mode is 644. When updatedb runs it creates the files with group slocate and mode 640.
This leads to rpm verification errors, which lead to failed compliance checks.

This bug may be present in other RHEL versions as well.

A simple mlocate.spec pseudo patch would be:

-%ghost %{_localstatedir}/lib/mlocate/mlocate.db
+%ghost %attr(0640,root,slocate) %{_localstatedir}/lib/mlocate/mlocate.db
Comment 2 Michal Sekletar 2015-01-15 08:40:39 UTC 
For rhel-6.7 there will be fastrack errata for mlocate. I think this bug is suitable for inclusion in that errata.
Comment 4 Michal Sekletar 2015-01-26 12:36:15 UTC 
http://pkgs.devel.redhat.com/cgit/rpms/mlocate/commit/?h=rhel-6.7&id=876e10588e9c2bca4e01aa2ddbe6e7ec2becd099 -> MODIFIED
Comment 6 Stefan Kremen 2015-01-28 16:20:54 UTC 
Hi Paulo,

I am unable to reproduce the bug. All tested stable systems (rhel 5, 6 and 7) showed correct permissions 640 even before applying this patch and running "rpm --verify mlocate" didn't complain.

Even after permissions have been changed manually to 644 the "rpm --verify mlocate" didn't complain a bit.

Would you please state what rhel, rpm and mlocate versions were you able to see this problem?

Thank you, Stefan
Comment 7 Paulo Andrade 2015-01-28 18:14:32 UTC 
Hi Stefan,

I asked the customer. I believe it should be some custom
tool.

At least in rhel-6 and rhel-7, I could not find a way
to force "rpm -V" to even consider checking ghost files.

I can think of some script that would use "rpm -ql --dump"
and compare with actual files, but could not find
anything related.
Comment 8 Stefan Kremen 2015-01-29 12:52:51 UTC 
(In reply to Paulo Andrade from comment #7)
> I can think of some script that would use "rpm -ql --dump"

Hi Paulo, thank you for suggesting this, it was helpful and I am now able to get the reproducer:

# rpm -ql --dump mlocate | grep -E "^/var/lib/mlocate/mlocate\.db.*644 root root.*$"
/var/lib/mlocate/mlocate.db 0 1348490607 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0100644 root root 0 0 0 X
Comment 10 Paulo Andrade 2015-01-29 15:32:06 UTC 
Hi Stefan,

Quoting the reply from the customer

"""
the issue was flagged by openscap runs. I then compared the output of rpm -qlv with the actual permissions in the filesystem. E.g:

# rpm -qlv mlocate
[...]
drwxr-x---    2 root    slocate                     0 Sep 24  2012 /var/lib/mlocate
-rw-r--r--    1 root    root                        0 Sep 24  2012 /var/lib/mlocate/mlocate.db

# ls -al /var/lib/mlocate
total 1424
drwxr-x---.  2 root slocate    4096 Jan 29 03:22 .
drwxr-xr-x. 34 root root       4096 Jan  8 18:20 ..
-rw-r-----.  1 root slocate 1448261 Jan 29 03:22 mlocate.db

As you can see the rpm requires permissions 0644 and root:root ownership, while the uodatedb command will create the file with permissions 0640 and ownership root:slocate.
"""
Comment 12 errata-xmlrpc 2015-03-12 09:00:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0676.html