Bug 2069588
| Summary: | Mode differs for /var/lib/sepolgen/interface_info | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Łukasz Filipek <lukasz.filipek> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 35 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-06 15:08:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Łukasz Filipek
2022-03-29 08:23:00 UTC
Vito,
It seems to me the /var/lib/sepolgen/interface_info file is created on selinux-policy-devel installation:
154 %post devel
155 %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
156 exit 0
The file is listed as a ghost file:
152 %ghost %{_sharedstatedir}/sepolgen/interface_info
Does sepolgen-ifgen use some equivalent of "umask 777" when the file is created for the first time?
Once the permissions are fixed, next run of the command does not change the permissions.
Speaking of interface_info, why at all is this file a ghost file?
(In reply to Zdenek Pytela from comment #1) > Vito, > > It seems to me the /var/lib/sepolgen/interface_info file is created on > selinux-policy-devel installation: > > 154 %post devel > 155 %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null > 156 exit 0 > > The file is listed as a ghost file: > 152 %ghost %{_sharedstatedir}/sepolgen/interface_info > > Does sepolgen-ifgen use some equivalent of "umask 777" when the file is > created for the first time? Yes, but the value (644) is "hardcoded" in policycoreutils. I believe we should either specify the value in the spec file (i.e. %attr(644,root,root)), or better yet disable validation on the file (%verify(not md5 size mode mtime)). %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info > > Once the permissions are fixed, next run of the command does not change the > permissions. > > Speaking of interface_info, why at all is this file a ghost file? Because it is not shipped by the package (hence rpmbuild would complain about the file missing if we used a normal definition), but it is used for policy compilation, so we still want to tie it to selinux-policy-devel package after it is generated. Merged 3 months ago. Closing. https://src.fedoraproject.org/rpms/selinux-policy/c/193d303b3b4915c23798368b516b59b2bd49f0b5?branch=rawhide |