Bug 1671327
| Summary: | RPM permission validation failed on /var/log/journal using openscap scan | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Yogita <ysoni> |
| Component: | systemd | Assignee: | systemd-maint |
| Status: | CLOSED DUPLICATE | QA Contact: | Frantisek Sumsal <fsumsal> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | dtardon, jsynacek, kwalker, mhaicman, mmarhefk, openscap-maint, rsahoo, systemd-maint-list, systemd-maint |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-26 12:08:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yogita
2019-01-31 12:14:30 UTC
(In reply to Yogita from comment #0) > [root@localhost ~]# rpm -V systemd > S.5....T. c /etc/systemd/journald.conf This makes sense, because you changed the configuration. I'm not sure why these verify bits get shown on a config file that is supposed to be changed. > .M....G.. g /var/log/journal > > [root@localhost ~]# ls -ld /var/log/journal > drwxr-sr-x+ 3 root systemd-journal 46 Jan 29 13:18 /var/log/journal The SGID comes from a tmpfiles.d snippet: # grep 2755 /usr/lib/tmpfiles.d/systemd.conf z /run/log/journal 2755 root systemd-journal - - z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - It is set so that everyone in the systemd-journal group gets access to the journal files. Also, systemd-journald itself then doesn't have to care about file permissions and doesn't have to do possible user/group lookups, which in turn (depending on the nsswitch.conf) might cause other services to use the journal, which would result in a deadlock. (In reply to Jan Synacek from comment #2) > (In reply to Yogita from comment #0) > > [root@localhost ~]# rpm -V systemd > > S.5....T. c /etc/systemd/journald.conf > > This makes sense, because you changed the configuration. I'm not sure why > these verify bits get shown on a config file that is supposed to be changed. You have to run "rpm -V --noconfig" if you don't want to see that. *** This bug has been marked as a duplicate of bug 1545372 *** Hello, Re-opening this bugzilla case as the duplicate bugzilla case 1545372 is closed as NOTABUG with below explaination - --------------------------------------------------------------------------------------- The SGID comes from a tmpfiles.d snippet: # grep 2755 /usr/lib/tmpfiles.d/systemd.conf z /run/log/journal 2755 root systemd-journal - - z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - It is set so that everyone in the systemd-journal group gets access to the journal files. Also, systemd-journald itself then doesn't have to care about file permissions and doesn't have to do possible user/group lookups, which in turn (depending on the nsswitch.conf) might cause other services to use the journal, which would result in a deadlock. --------------------------------------------------------------------------------------- Cu for whom this bugzilla case was primarliy opened is having below question - ======================================================================================== I totally agree that the permissions are correct from systemd's perspective but the issue arises when you try to verify the permissions on disk relating to the permissions RPM sets. Due to the fact that RPM set different permissions then are runtime implemented you will always bump in to this issue. This will, in our case always raise a FAILED status when verifying the system with OpenSCAP (DISA STIG). So to me the problem still exists. ======================================================================================== So here, the prime issue -> After running a openscap scan the following rule failed : "xccdf_org.ssgproject.content_rule_rpm_verify_ownership" still exists! Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. Just to make sure that all those cc'd are on the same page. I am moving this bug back to systemd, and closing it in favor of the following:
1545372 – [SPEC] rpm -V failures
https://bugzilla.redhat.com/show_bug.cgi?id=1545372
Please follow the resolution process there.
*** This bug has been marked as a duplicate of bug 1545372 ***
|