Description of problem: After installing selinux-policy-devel-35.15-1.fc35.noarch and then run rpm --verify i get mode differs problem: $ rpm -V selinux-policy-devel-35.15-1.fc35.noarch .M....... g /var/lib/sepolgen/interface_info $ ls -l /var/lib/sepolgen/interface_info -rw-r--r--. 1 root root 3108419 Mar 29 09:51 /var/lib/sepolgen/interface_info I can restore package permissions using the rpm --setperms command: $ rpm --setperms selinux-policy-devel-35.15-1.fc35.noarch And the result is: $ ls -l /var/lib/sepolgen/interface_info ----------. 1 root root 3108419 Mar 29 09:51 /var/lib/sepolgen/interface_info It is unclear what permissions are appropriate. Steps to Reproduce: 1. Install selinux-policy-devel-35.15-1.fc35.noarch 2. Run package verification: rpm -V selinux-policy-devel-35.15-1.fc35.noarch 3. Mode differs 4. Restore perms: rpm --setperms selinux-policy-devel-35.15-1.fc35.noarch 5. Perform step number 2 again. Actual results: Wrong permissions? Expected results: Proper permissions after installing the package.
Vito, It seems to me the /var/lib/sepolgen/interface_info file is created on selinux-policy-devel installation: 154 %post devel 155 %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null 156 exit 0 The file is listed as a ghost file: 152 %ghost %{_sharedstatedir}/sepolgen/interface_info Does sepolgen-ifgen use some equivalent of "umask 777" when the file is created for the first time? Once the permissions are fixed, next run of the command does not change the permissions. Speaking of interface_info, why at all is this file a ghost file?
(In reply to Zdenek Pytela from comment #1) > Vito, > > It seems to me the /var/lib/sepolgen/interface_info file is created on > selinux-policy-devel installation: > > 154 %post devel > 155 %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null > 156 exit 0 > > The file is listed as a ghost file: > 152 %ghost %{_sharedstatedir}/sepolgen/interface_info > > Does sepolgen-ifgen use some equivalent of "umask 777" when the file is > created for the first time? Yes, but the value (644) is "hardcoded" in policycoreutils. I believe we should either specify the value in the spec file (i.e. %attr(644,root,root)), or better yet disable validation on the file (%verify(not md5 size mode mtime)). %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info > > Once the permissions are fixed, next run of the command does not change the > permissions. > > Speaking of interface_info, why at all is this file a ghost file? Because it is not shipped by the package (hence rpmbuild would complain about the file missing if we used a normal definition), but it is used for policy compilation, so we still want to tie it to selinux-policy-devel package after it is generated.
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/269
Merged 3 months ago. Closing. https://src.fedoraproject.org/rpms/selinux-policy/c/193d303b3b4915c23798368b516b59b2bd49f0b5?branch=rawhide