Description of problem:
Starting libvirt for the first time causes it to remove and recreate all files in /etc/libvirt/nwfilter, except they are created as 0600 instead of 0644, which causes verification to fail

Version-Release number of selected component (if applicable):
libvirt.x86_64 0:3.9.0-14.el7_5.2 

How reproducible:
100%

Steps to Reproduce:
1. Install 7.5
2. Install libvirt
3. rpm -V libvirt-config-daemon-nwfilter
4. systemctl start libvirtd.service
5. rpm -V libvirt-config-daemon-nwfilter

Actual results:
[root@localhost ~]# rpm -V libvirt-daemon-config-nwfilter
[root@localhost ~]# service libvirtd start
Redirecting to /bin/systemctl start libvirtd.service
[root@localhost ~]# rpm -V libvirt-daemon-config-nwfilter
.M.......  g /etc/libvirt/nwfilter/allow-arp.xml
.M.......  g /etc/libvirt/nwfilter/allow-dhcp-server.xml
.M.......  g /etc/libvirt/nwfilter/allow-dhcp.xml
.M.......  g /etc/libvirt/nwfilter/allow-incoming-ipv4.xml
.M.......  g /etc/libvirt/nwfilter/allow-ipv4.xml
.M.......  g /etc/libvirt/nwfilter/clean-traffic.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-arp-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-ip-multicast.xml
.M.......  g /etc/libvirt/nwfilter/no-ip-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-mac-broadcast.xml
.M.......  g /etc/libvirt/nwfilter/no-mac-spoofing.xml
.M.......  g /etc/libvirt/nwfilter/no-other-l2-traffic.xml
.M.......  g /etc/libvirt/nwfilter/no-other-rarp-traffic.xml
.M.......  g /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml
.M.......  g /etc/libvirt/nwfilter/qemu-announce-self.xml


Expected results:
libvirt should use the correct permissions

Additional info: