Bug 1559284
Summary: | rpm verify show mode differs for package libvirt-daemon-config-nwfilter | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | yalzhang <yalzhang> |
Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
Status: | CLOSED ERRATA | QA Contact: | chhu |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.5 | CC: | dyuan, jdenemar, rbarry, xuzhang |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libvirt-4.4.0-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 09:53:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1436519 |
Description
yalzhang@redhat.com
2018-03-22 08:01:25 UTC
*** Bug 1571969 has been marked as a duplicate of this bug. *** Add regression keywords as the bug is reported by up-layer recently also. The files in /etc are defined as %ghost in the spec file, which means rpm will not install them, but it will record its existence and permissions in the database. The files are then copied in a %post scriptlet, but apparently the permissions of those files are different from the one recorded by rpm. So either the change happened while they were copied in %post scriptlet, or libvirtd changed the permissions. And it looks like older rpm didn't care about permissions of %ghost files. Fix sent upstream for review: https://www.redhat.com/archives/libvir-list/2018-May/msg02147.html Fixed upstream by commit 7f8e1cb68fd6963542a7089199efb4e65f9a4c23 Refs: v4.4.0-rc1-1-g7f8e1cb68f Author: Jiri Denemark <jdenemar> AuthorDate: Tue May 29 22:30:33 2018 +0200 Commit: Jiri Denemark <jdenemar> CommitDate: Wed May 30 11:21:28 2018 +0200 spec: Fix permissions of nwfilter XMLs The nwfilter XMLs in /etc are defined as %ghost in the spec file, which means rpm will not install them, but it will record its existence and permissions in the database. During installation the files are copied in a %post scriptlet from /usr/share/libvirt/nwfilter, but once libvirtd is restarted, it will rewrite the files to add generated UUIDs. While RPM recorded 644 mode for the XMLs, libvirt saves them with 600 and thus any future attempt to verify the libvirt-daemon-config-nwfilter package would fail. We need to tell RPM the ghost files are supposed to have 600 permissions. https://bugzilla.redhat.com/show_bug.cgi?id=1559284 Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Erik Skultety <eskultet> Hi, Jiri I hit this issue after installing libvirt-daemon-config-nwfilter package, but the rpm verify passed when I started the libvirtd service. More details are as below, do you want to do more modification? Thank you! Regards, chhu Tested with packages: libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 rpm-4.11.3-35.el7.x86_64 Test steps: 1. Install the libvirt-daemon-config-nwfilter package, then do rpm verify, all xml files will show mode differs # rpm -V libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 .M....... g /etc/libvirt/nwfilter/allow-arp.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp-server.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp.xml .M....... g /etc/libvirt/nwfilter/allow-incoming-ipv4.xml .M....... g /etc/libvirt/nwfilter/allow-ipv4.xml .M....... g /etc/libvirt/nwfilter/clean-traffic-gateway.xml .M....... g /etc/libvirt/nwfilter/clean-traffic.xml .M....... g /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-ip-multicast.xml .M....... g /etc/libvirt/nwfilter/no-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-mac-broadcast.xml .M....... g /etc/libvirt/nwfilter/no-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-other-l2-traffic.xml .M....... g /etc/libvirt/nwfilter/no-other-rarp-traffic.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self.xml # ll -Z /etc/libvirt/nwfilter/allow-arp.xml -rw-r--r--. root root unconfined_u:object_r:virt_etc_rw_t:s0 /etc/libvirt/nwfilter/allow-arp.xml # rpm -qa|grep rpm rpm-4.11.3-35.el7.x86_64 2. Check the libvirtd status, it's stopped, start the libvirtd, then do rpm verify passed. # service libvirtd status Redirecting to /bin/systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:libvirtd(8) https://libvirt.org # service libvirtd start Redirecting to /bin/systemctl start libvirtd.service # rpm -V libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 # ll -Z /etc/libvirt/nwfilter/allow-arp.xml -rw-------. root root system_u:object_r:virt_etc_rw_t:s0 /etc/libvirt/nwfilter/allow-arp.xml Maybe, once I understand what's going on here. But anyway, it won't be for this bug. It's good it works in the usual case when libvirtd is running. If you file a new bug for the corner case you found, I'll try to look at it. Thanks Jiri! File a new bug for the issue in comment9, and set this bug status to "VERIFIED". Bug 1628475 - Rpm verify show mode differs for package libvirt-daemon-config-nwfilter when libvirtd is stopped Just a remark on comment#9 - For security scanning (SCAP, for example), it is NOT sufficient to have verification pass only if the service is started. Since security is a priority target, failing verification after install is (to me), FailedQA rather than a corner case. Hi, Ryan Yes, thank you very much! I filed bug1622875 to track this: Bug 1628475 - Rpm verify show mode differs for package libvirt-daemon-config-nwfilter when libvirtd is stopped Regards, chhu The fix which went in for this BZ is still a verified improvement compared to the previous state. Although we need an additional patch to fix this in all cases. To me it doesn't really matter whether we have a new bug tracking the addition or use this one. Usually a separate bug is more focused and it's easier to spot what the problem is without reading all the comments. Hi, Jiri Yes, thank you! This bug fix the problem when the libvirtd is started, we use Bug 1628475 to track the issue without starting libvirtd. Regards, chhu Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3113 |