Bug 202805

Summary: rpm --verify returns undocumented "C" flag, "C" check cannot be disabled
Product: [Fedora] Fedora Reporter: Mark Frazer <mark>
Component: rpmAssignee: Paul Nasrat <nobody+pnasrat>
Status: CLOSED WONTFIX QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-16 15:37:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Frazer 2006-08-16 15:21:13 UTC 
Description of problem:
The C flag is not documented.  It appears (from a quick browse of the source) to
be related SE linux security context not matching.  Searching for
RPMVERIFY_CONTEXTS in lib/verify.c to find it.

There is also no --nocontexts flag to rpm --verify, so this check will always
turn up.  This is also documented in the source.
[root@pacific rpm-4.4.1]# grep 'flags |= RPMVERIFY_CONTEXTS' lib/verify.c
    flags |= RPMVERIFY_CONTEXTS;        /* no disable from package. */


Version-Release number of selected component (if applicable):
rpm-4.4.1-23

How reproducible:
always

Steps to Reproduce:
I encountered this after replacing an old disk with a new one.  My update
procedure was to boot to the rescue CD, rsync the old disk partitions with the
partitions on the new disk (rsync -aH /mnt/old/ /mnt/new), install grub on the
new disk and then remove the old disk.

I guess the rsync lost whatever SE linux is looking for.

Actual results:
[root@pacific rpm-4.4.1]# rpm --verify openssh-clients
........C c /etc/ssh/ssh_config
........C   /usr/bin/scp
........C   /usr/bin/sftp
........C   /usr/bin/slogin
........C   /usr/bin/ssh
........C   /usr/bin/ssh-add
........C   /usr/bin/ssh-agent
........C   /usr/bin/ssh-copy-id
........C   /usr/bin/ssh-keyscan
........C d /usr/share/man/man1/scp.1.gz
........C d /usr/share/man/man1/sftp.1.gz
........C d /usr/share/man/man1/slogin.1.gz
........C d /usr/share/man/man1/ssh-add.1.gz
........C d /usr/share/man/man1/ssh-agent.1.gz
........C d /usr/share/man/man1/ssh-copy-id.1.gz
........C d /usr/share/man/man1/ssh-keyscan.1.gz
........C d /usr/share/man/man1/ssh.1.gz
........C d /usr/share/man/man5/ssh_config.5.gz

Expected results:
No output, ie, my rpm installations have not been corrupted.

Additional info:
Comment 1 Paul Nasrat 2006-08-16 15:37:22 UTC 
use restorecon to fix contexts.  File bugs against rsync for not preserving
xattrs which hold the contexts.

This check is gone in later RPM so I'm not going to release a man page update
for fc4 at this time.
Comment 2 Mark Frazer 2006-08-16 15:54:04 UTC 
rpm -qa | while read rpm ; do rpm -ql $rpm | restorecon -f - ; done

did the trick.

I googled a bit for this before filing the bug and saw a few people running ES4
that had a similar problem.

thanks for the fix!
Comment 3 zimon 2006-08-28 20:02:30 UTC 
I wonder, why this is marked as WONTFIX+CLOSED.
I was just wondering the same undocumentd ninth field "C", Googled around, asked
on linuxquestions.org but couldn't find anything until then here.
Comment 4 zimon 2006-08-28 20:05:49 UTC 
Ah, sorry. Paul already wrote why it wont be fixed. Ok. Just it still gives
those "C":s in Fedora core 5, with rpm version 4.4.2