Bug 1308984

Summary: Add strict requires on crypto-policies
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 23CC: abokovoy, j, nalin, npmccallum, rharwood
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.14-8.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-21 12:57:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lukas Slebodnik 2016-02-16 16:28:34 UTC 
Description of problem:
There is a know issue with krb5 and inclusion of nonexistent files
BZ1274424. There is a workaround in fedora 23+ for issue with crypto-policies.
However the solution is not sufficient. Because old version of crypto-policies does not contain such file and therefore link can be broken.

And it's hard to explain someone that it's not enough to upgrade krb5-* to the latest version for fixing issues caused by broken symbolic link.

Therefore there shoudl be stricter requires on crypto-policies.

Version-Release number of selected component (if applicable):
sh$ rpm -qf /etc/krb5.conf.d/crypto-policies 
krb5-libs-1.14-7.fc23.x86_64

How reproducible:
Deterministic

Actual results:
The latest krb5-libs can be installed with old version of crypto-policies

sh$ rpm -q krb5-libs crypto-policies
krb5-libs-1.14-4.fc23.x86_64
crypto-policies-20150518-3.gitffe885e.fc23.noarch

sh$ file /etc/krb5.conf.d/crypto-policies 
/etc/krb5.conf.d/crypto-policies: broken symbolic link to /etc/crypto-policies/back-ends/krb5.config


Expected results:
krb5-libs has strict requires for crypto-policies which contains file /etc/crypto-policies/back-ends/krb5.config
and therefore update of krb5-libs will require update of crypto-policies as well
and will prevent issues with broken symbolic link.

Additional info:
You might use 
Requires: crypto-policies >= 20151104-1

or
Requires: /etc/crypto-policies/back-ends/krb5.config

sh$ rpm -q --whatprovides /etc/crypto-policies/back-ends/krb5.config
crypto-policies-20151104-1.gitf1cba5f.fc23.noarch
Comment 1 Fedora Update System 2016-02-16 17:57:28 UTC 
krb5-1.14-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8be51f14b
Comment 2 Robbie Harwood 2016-02-16 17:59:51 UTC 
Fixed in rawhide as well.
Comment 3 Fedora Update System 2016-02-17 06:26:21 UTC 
krb5-1.14-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8be51f14b
Comment 4 Fedora Update System 2016-02-21 12:57:36 UTC 
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-02-21 16:18:15 UTC 
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-02-21 16:24:23 UTC 
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.