RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2119472 - Mode default differs for /var/lib/sepolgen/interface_info provided by selinux-policy-devel
Summary: Mode default differs for /var/lib/sepolgen/interface_info provided by selinux...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.7
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2132168 2134515
TreeView+ depends on / blocked
 
Reported: 2022-08-18 15:26 UTC by Neil Garrett
Modified: 2022-11-08 12:23 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.14.3-107.el8
Doc Type: Bug Fix
Doc Text:
Cause: The /var/lib/sepolgen/interface_info file is generated during the %post phase of the selinux-policy-devel rpm package installation. Consequence: The output of 'rpm --verify selinux-policy-devel' shows that sepolgen-ifgen's mode/permissions have changed agains the stored default. Fix: The specfile was modified not to store file metadata in the rpm database used for verification. Result: 'rpm --verify selinux-policy-devel' does not report any problem.
Clone Of:
: 2132168 2134515 (view as bug list)
Environment:
Last Closed: 2022-11-08 10:45:06 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2069588 0 unspecified CLOSED Mode differs for /var/lib/sepolgen/interface_info 2022-09-06 15:08:33 UTC
Red Hat Issue Tracker RHELPLAN-131464 0 None None None 2022-08-18 15:50:09 UTC
Red Hat Product Errata RHBA-2022:7691 0 None None None 2022-11-08 10:45:27 UTC

Description Neil Garrett 2022-08-18 15:26:00 UTC 
Description of problem:
With selinux-policy-devel rpm installed, the output of 'rpm -V' run against it shows that associated file sepolgen-ifgen's mode/permissions are not default. After running 'rpm --setperms' against the rpm it changes the sepolgen-ifgen's permissions from 0644 to 0000.

I'm not sure what the appropriate permissions for /usr/lib/sepolgen/interface_info are, but 0000 does not seem right. At the very least, the rpm is providing the file with permissions that differ from what it thinks the default should be. 

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.14.3-95.el8_6.1 although I have replicated this behavior on a few older versions in RHEL 8 as well as the latest version provided with RHEL 7.9. 

How reproducible:
Every time

Steps to Reproduce:
1. Install selinux-policy-devel
2. Run package verification against it with 'rpm -V'
3. Output will show that mode for /usr/lib/sepolgen/interface_info deviates from default
4. Restore default permissions with 'rpm --setperms'
5. Run package verification against the rpm again to verify no output
6. Perform long listing of interface_info file which shows mode of 0000

Actual results:
Wrong file permissions for a file provided by the rpm or incorrectly defined default permissions for the provided file

Expected results:
Correct permissions for files provided by the selinux-policy-devel rpm

Additional info:
For what it's worth, I was able to reproduce this on the following versions of selinux-policy-devel in both RHEL 8 and RHEL 7:

selinux-policy-devel-3.13.1-268.el7_9.2.noarch
selinux-policy-devel-3.14.3-80.el8_5.2.noarch
selinux-policy-devel-3.14.3-95.el8
selinux-policy-devel-3.14.3-95.el8_6.1.noarch

I also found an upstream bug with fedora covering the same problem:
2069588
Comment 1 Zdenek Pytela 2022-08-18 19:25:50 UTC 
A dist-git commit to backport:

commit 193d303b3b4915c23798368b516b59b2bd49f0b5
Author: Vit Mojzis <vmojzis>
Date:   Wed Mar 30 14:47:15 2022 +0200

    Disable rpm verification on interface_info
Comment 8 Neil Garrett 2022-09-08 00:45:28 UTC 
Hello -- any idea whether a fix will be released for RHEL 7?
Comment 9 Zdenek Pytela 2022-09-14 08:39:08 UTC 
(In reply to Neil Garrett from comment #8)
> Hello -- any idea whether a fix will be released for RHEL 7?

Engineering do not have plans to backport this fix to RHEL 7.
Comment 11 errata-xmlrpc 2022-11-08 10:45:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691
Note You need to log in before you can comment on or make changes to this bug.