Description of problem: Rpm verify show mode differs for package libvirt-daemon-config-nwfilter when libvirtd is stopped Version-Release number of selected component (if applicable): libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 How reproducible: 100% Tested with packages: libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 rpm-4.11.3-35.el7.x86_64 Test steps: 1. Install the libvirt-daemon-config-nwfilter package, then do rpm verify, all xml files will show mode differs # rpm -V libvirt-daemon-config-nwfilter-4.5.0-9.el7.x86_64 .M....... g /etc/libvirt/nwfilter/allow-arp.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp-server.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp.xml .M....... g /etc/libvirt/nwfilter/allow-incoming-ipv4.xml .M....... g /etc/libvirt/nwfilter/allow-ipv4.xml .M....... g /etc/libvirt/nwfilter/clean-traffic-gateway.xml .M....... g /etc/libvirt/nwfilter/clean-traffic.xml .M....... g /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-ip-multicast.xml .M....... g /etc/libvirt/nwfilter/no-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-mac-broadcast.xml .M....... g /etc/libvirt/nwfilter/no-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-other-l2-traffic.xml .M....... g /etc/libvirt/nwfilter/no-other-rarp-traffic.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self.xml # ll -Z /etc/libvirt/nwfilter/allow-arp.xml -rw-r--r--. root root unconfined_u:object_r:virt_etc_rw_t:s0 /etc/libvirt/nwfilter/allow-arp.xml # rpm -qa|grep rpm rpm-4.11.3-35.el7.x86_64 2. Check the libvirtd status, it's stopped. # service libvirtd status Redirecting to /bin/systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:libvirtd(8) https://libvirt.org Actual results: The rpm verify fail Expected results: The rpm verify pass
Patch sent upstream for review: https://www.redhat.com/archives/libvir-list/2019-May/msg00683.html
This will be addressed in the next major release.
Fixed upstream by commit f87d5a964f648e78ad95b26a286e2670b0da72e2 Refs: v5.3.0-147-gf87d5a964f Author: Jiri Denemark <jdenemar> AuthorDate: Thu May 23 14:31:37 2019 +0200 Commit: Jiri Denemark <jdenemar> CommitDate: Mon May 27 15:00:11 2019 +0200 spec: Fix permissions of nwfilter XMLs The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a %post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files in /usr/share are created with mode 0644, libvirt creates the files in /etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the RPM database, we need to chmod the files copied from /usr/share to make sure RPM verification does not complain about changed permissions. https://bugzilla.redhat.com/show_bug.cgi?id=1628475 Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Andrea Bolognani <abologna>
Reproduce the bug on 1. Install the libvirt-daemon-config-nwfilter package while the libvirtd service is inactive: (if install the package while the libvirtd is active, the bug can not be reproduced) # rpm -q libvirt-daemon-config-nwfilter package libvirt-daemon-config-nwfilter is not installed # systemctl status libvirtd ... Active: inactive (dead) ... # yum install -y libvirt-daemon-config-nwfilter ... 2. Check the rpm velidate will fail: # rpm -V libvirt-daemon-config-nwfilter .M....... g /etc/libvirt/nwfilter/allow-arp.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp-server.xml .M....... g /etc/libvirt/nwfilter/allow-dhcp.xml .M....... g /etc/libvirt/nwfilter/allow-incoming-ipv4.xml .M....... g /etc/libvirt/nwfilter/allow-ipv4.xml .M....... g /etc/libvirt/nwfilter/clean-traffic-gateway.xml .M....... g /etc/libvirt/nwfilter/clean-traffic.xml .M....... g /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-arp-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-ip-multicast.xml .M....... g /etc/libvirt/nwfilter/no-ip-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-mac-broadcast.xml .M....... g /etc/libvirt/nwfilter/no-mac-spoofing.xml .M....... g /etc/libvirt/nwfilter/no-other-l2-traffic.xml .M....... g /etc/libvirt/nwfilter/no-other-rarp-traffic.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml .M....... g /etc/libvirt/nwfilter/qemu-announce-self.xml Verify the bug on libvirt-daemon-config-nwfilter-5.4.0-2.module+el8.1.0+3523+b348b848.x86_64: 1. Stop the libvirtd service; 2. Install the package libvirt-daemon-config-nwfilter; 3. Check by "rpm -V" # rpm -V libvirt-daemon-config-nwfilter ==> no outputs # echo $? 0 4. Also check the scenario: when install the package while libvirtd is active, validate pass, the result is as expected, too.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3723