Bug 1559284

*** Bug 1571969 has been marked as a duplicate of this bug. ***

Add regression keywords as the bug is reported by up-layer recently also.

The files in /etc are defined as %ghost in the spec file, which means rpm will
not install them, but it will record its existence and permissions in the
database. The files are then copied in a %post scriptlet, but apparently the
permissions of those files are different from the one recorded by rpm. So
either the change happened while they were copied in %post scriptlet, or
libvirtd changed the permissions. And it looks like older rpm didn't care
about permissions of %ghost files.

Fix sent upstream for review: https://www.redhat.com/archives/libvir-list/2018-May/msg02147.html

Fixed upstream by

commit 7f8e1cb68fd6963542a7089199efb4e65f9a4c23
Refs: v4.4.0-rc1-1-g7f8e1cb68f
Author:     Jiri Denemark <jdenemar>
AuthorDate: Tue May 29 22:30:33 2018 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Wed May 30 11:21:28 2018 +0200

    spec: Fix permissions of nwfilter XMLs

    The nwfilter XMLs in /etc are defined as %ghost in the spec file, which
    means rpm will not install them, but it will record its existence and
    permissions in the database. During installation the files are copied in
    a %post scriptlet from /usr/share/libvirt/nwfilter, but once libvirtd is
    restarted, it will rewrite the files to add generated UUIDs.

    While RPM recorded 644 mode for the XMLs, libvirt saves them with 600
    and thus any future attempt to verify the libvirt-daemon-config-nwfilter
    package would fail. We need to tell RPM the ghost files are supposed to
    have 600 permissions.

    https://bugzilla.redhat.com/show_bug.cgi?id=1559284

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Erik Skultety <eskultet>

Hi, Jiri


I hit this issue after installing libvirt-daemon-config-nwfilter package, but the rpm verify passed when I started the libvirtd service. More details are as below, do you want to do more modification?  Thank you!


Regards,
chhu


Tested with packages:
libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64
rpm-4.11.3-35.el7.x86_64

Test steps:
1. Install the libvirt-daemon-config-nwfilter package, then do rpm verify, all xml files will show mode differs
# rpm -V libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64
.M.......  g /etc/libvirt/nwfilter/allow-arp.xml
.M.......  g /etc/libvirt/nwfilter/allow-dhcp-server.xml
.M.......  g /etc/libvirt/nwfilter/allow-dhcp.xml
.M.......  g /etc/libvirt/nwfilter/allow-incoming-ipv4.xml
.M.......  g /etc/libvirt/nwfilter/allow-ipv4.xml
.M.......  g /etc/libvirt/nwfilter/clean-traffic-gateway.xml
.M.......  g /etc/libvirt/nwfilter/clean-traffic.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-ip-multicast.xml
.M.......  g /etc/libvirt/nwfilter/no-ip-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-mac-broadcast.xml
.M.......  g /etc/libvirt/nwfilter/no-mac-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-other-l2-traffic.xml
.M.......  g /etc/libvirt/nwfilter/no-other-rarp-traffic.xml
.M.......  g /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml
.M.......  g /etc/libvirt/nwfilter/qemu-announce-self.xml

# ll -Z /etc/libvirt/nwfilter/allow-arp.xml
-rw-r--r--. root root unconfined_u:object_r:virt_etc_rw_t:s0 /etc/libvirt/nwfilter/allow-arp.xml

# rpm -qa|grep rpm
rpm-4.11.3-35.el7.x86_64

2. Check the libvirtd status, it's stopped, start the libvirtd, then do rpm verify passed.

# service libvirtd status
Redirecting to /bin/systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:libvirtd(8)
           https://libvirt.org
# service libvirtd start
Redirecting to /bin/systemctl start libvirtd.service

# rpm -V libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64
# ll -Z /etc/libvirt/nwfilter/allow-arp.xml
-rw-------. root root system_u:object_r:virt_etc_rw_t:s0 /etc/libvirt/nwfilter/allow-arp.xml

Maybe, once I understand what's going on here. But anyway, it won't be for
this bug. It's good it works in the usual case when libvirtd is running. If
you file a new bug for the corner case you found, I'll try to look at it.

Thanks Jiri!

File a new bug for the issue in comment9, and set this bug status to "VERIFIED". 
Bug 1628475 - Rpm verify show mode differs for package libvirt-daemon-config-nwfilter when libvirtd is stopped

Just a remark on comment#9 -

For security scanning (SCAP, for example), it is NOT sufficient to have verification pass only if the service is started. Since security is a priority target, failing verification after install is (to me), FailedQA rather than a corner case.

Hi, Ryan

Yes, thank you very much!

I filed bug1622875 to track this:  
Bug 1628475 - Rpm verify show mode differs for package libvirt-daemon-config-nwfilter when libvirtd is stopped


Regards,
chhu

The fix which went in for this BZ is still a verified improvement compared to
the previous state. Although we need an additional patch to fix this in all
cases. To me it doesn't really matter whether we have a new bug tracking the
addition or use this one. Usually a separate bug is more focused and it's
easier to spot what the problem is without reading all the comments.

Hi, Jiri

Yes, thank you! 

This bug fix the problem when the libvirtd is started, we use Bug 1628475 to track the issue without starting libvirtd. 

Regards,
chhu

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113