Bug 741044

Summary: rpm verification indicates size and checksum change, but not time stamp
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: ffesti, jnovy, pmatilai
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-11 16:09:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Göran Uddeborg 2011-09-24 16:06:28 UTC 
Description of problem:
When running "rpm --verify" recently I noticed a number of files in the selinux-policy-targeted package that were marked to have been changed when it comes to size and checksum.  But there was no indication their time stamps had been modified.  Comparing the actual files with the content of the rpm database, it looks as they have indeed been changed.  So what makes me confused is why rpm doesn't say so also when it comes to the time stamp.  Is this some feature of rpm that I don't understand, or is it a bug?

Version-Release number of selected component (if applicable):
rpm-4.9.1.1-3.fc16.x86_64
selinux-policy-targeted-3.10.0-28.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1. rpm -qlv selinux-policy-targeted | grep homedir_template
2. ls -l /etc/selinux/targeted/modules/active/homedir_template
3. rpm --verify selinux-policy-targeted | grep homedir_template
  
Actual results:
-rw-------    1 root    root                     6751 sep 13 22:25 /etc/selinux/targeted/modules/active/homedir_template
-rw-------. 1 root root 6829 Sep 20 20:23 /etc/selinux/targeted/modules/active/homedir_template
5S.......    /etc/selinux/targeted/modules/active/homedir_template


Expected results:
The output from the first two commands as above, but for the third:
5S.T.....    /etc/selinux/targeted/modules/active/homedir_template

Additional info:
I don't think I have modified this file myself, or most of the others.  But I have made some additional local SELinux modules, and I imagine these files are generated when I run semanage.  If they are meant to be modified in that way, I assume they ought to be marked as config files.  But I'll wait to bug report that until I know if what I see above is indeed a bug, or if I'm just not understanding how things are meant to be.
Comment 1 Panu Matilainen 2011-10-11 11:22:20 UTC 
mtime verification is explicitly disabled for numerous files in the policy package, that's why rpm doesn't complain about it. Eg (from selinux-policy.spec):

%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \

So rpm is simply doing what it's told to do. Why the policy is packaged this way is another question, one that the selinux folks can better answer. But it seems very much intentional to not have them as %config files either:

commit ee6088daa63aad42563fa5459ecabf3212ffc7ef
Author: Dan Walsh <dwalsh>
Date:   Fri Aug 5 16:03:13 2011 -0400

    Fix selinux-policy.spec to not print ugly rpmnew file
Comment 2 Göran Uddeborg 2011-10-11 16:09:48 UTC 
I see!  The %verify directive was a corner of RPM spec files I had missed.  sorry for the noise!