Bug 2119472

Summary: Mode default differs for /var/lib/sepolgen/interface_info provided by selinux-policy-devel
Product: Red Hat Enterprise Linux 8 Reporter: Neil Garrett <ngarrett>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: lvrabec, mmalik, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.7Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-107.el8 Doc Type: Bug Fix
Doc Text:
Cause: The /var/lib/sepolgen/interface_info file is generated during the %post phase of the selinux-policy-devel rpm package installation. Consequence: The output of 'rpm --verify selinux-policy-devel' shows that sepolgen-ifgen's mode/permissions have changed agains the stored default. Fix: The specfile was modified not to store file metadata in the rpm database used for verification. Result: 'rpm --verify selinux-policy-devel' does not report any problem.
 Story Points: ---
Clone Of:
: 2132168 2134515 (view as bug list) Environment:
Last Closed: 2022-11-08 10:45:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2132168, 2134515    

Description Neil Garrett 2022-08-18 15:26:00 UTC 
Description of problem:
With selinux-policy-devel rpm installed, the output of 'rpm -V' run against it shows that associated file sepolgen-ifgen's mode/permissions are not default. After running 'rpm --setperms' against the rpm it changes the sepolgen-ifgen's permissions from 0644 to 0000.

I'm not sure what the appropriate permissions for /usr/lib/sepolgen/interface_info are, but 0000 does not seem right. At the very least, the rpm is providing the file with permissions that differ from what it thinks the default should be. 

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.14.3-95.el8_6.1 although I have replicated this behavior on a few older versions in RHEL 8 as well as the latest version provided with RHEL 7.9. 

How reproducible:
Every time

Steps to Reproduce:
1. Install selinux-policy-devel
2. Run package verification against it with 'rpm -V'
3. Output will show that mode for /usr/lib/sepolgen/interface_info deviates from default
4. Restore default permissions with 'rpm --setperms'
5. Run package verification against the rpm again to verify no output
6. Perform long listing of interface_info file which shows mode of 0000

Actual results:
Wrong file permissions for a file provided by the rpm or incorrectly defined default permissions for the provided file

Expected results:
Correct permissions for files provided by the selinux-policy-devel rpm

Additional info:
For what it's worth, I was able to reproduce this on the following versions of selinux-policy-devel in both RHEL 8 and RHEL 7:

selinux-policy-devel-3.13.1-268.el7_9.2.noarch
selinux-policy-devel-3.14.3-80.el8_5.2.noarch
selinux-policy-devel-3.14.3-95.el8
selinux-policy-devel-3.14.3-95.el8_6.1.noarch

I also found an upstream bug with fedora covering the same problem:
2069588
Comment 1 Zdenek Pytela 2022-08-18 19:25:50 UTC 
A dist-git commit to backport:

commit 193d303b3b4915c23798368b516b59b2bd49f0b5
Author: Vit Mojzis <vmojzis>
Date:   Wed Mar 30 14:47:15 2022 +0200

    Disable rpm verification on interface_info
Comment 8 Neil Garrett 2022-09-08 00:45:28 UTC 
Hello -- any idea whether a fix will be released for RHEL 7?
Comment 9 Zdenek Pytela 2022-09-14 08:39:08 UTC 
(In reply to Neil Garrett from comment #8)
> Hello -- any idea whether a fix will be released for RHEL 7?

Engineering do not have plans to backport this fix to RHEL 7.
Comment 11 errata-xmlrpc 2022-11-08 10:45:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691