[v1] spec: Fix permissions of nwfilter XMLs

[libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs

Posted by Jiri Denemark 4 years, 11 months ago

The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a
%post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files
in /usr/share are created with mode 0644, libvirt creates the files in
/etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the
RPM database, we need to chmod the files copied from /usr/share to make
sure RPM verification does not complain about changed permissions.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 libvirt.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5bd3e30509..970d2742ac 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1441,6 +1441,8 @@ rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
 
 %post daemon-config-nwfilter
 cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
+# libvirt saves these files with mode 600
+chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
 # Make sure libvirt picks up the new nwfilter defininitons
 mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
 touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs

Posted by Jiri Denemark 4 years, 11 months ago

On Thu, May 23, 2019 at 14:56:33 +0200, Jiri Denemark wrote:
> The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a
> %post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files
> in /usr/share are created with mode 0644, libvirt creates the files in
> /etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the
> RPM database, we need to chmod the files copied from /usr/share to make
> sure RPM verification does not complain about changed permissions.

https://bugzilla.redhat.com/show_bug.cgi?id=1628475

Jirka

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs

Posted by Andrea Bolognani 4 years, 11 months ago

On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote:
[...]
>  %post daemon-config-nwfilter
>  cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
> +# libvirt saves these files with mode 600
> +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
>  # Make sure libvirt picks up the new nwfilter defininitons
>  mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
>  touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :

Interesting, I have the very same hunk in a larger patch that I'm
working on :)

The change itself looks good, but shouldn't you be able to remove
the corresponding call from the %install section at the same time?
It's not like it's doing anything useful at the moment anyway.

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs

Posted by Jiri Denemark 4 years, 11 months ago

On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote:
> On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote:
> [...]
> >  %post daemon-config-nwfilter
> >  cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
> > +# libvirt saves these files with mode 600
> > +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
> >  # Make sure libvirt picks up the new nwfilter defininitons
> >  mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
> >  touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
> 
> Interesting, I have the very same hunk in a larger patch that I'm
> working on :)
> 
> The change itself looks good, but shouldn't you be able to remove
> the corresponding call from the %install section at the same time?
> It's not like it's doing anything useful at the moment anyway.

No, it's making sure the RPM database will have the right info in it.
That is, if you remove the part in %install, RPM will record 644 for the
XML files and the verification will always fail afterwards.

Jirka

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs

Posted by Andrea Bolognani 4 years, 10 months ago

On Thu, 2019-05-23 at 16:35 +0200, Jiri Denemark wrote:
> On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote:
> > On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote:
> > [...]
> > >  %post daemon-config-nwfilter
> > >  cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
> > > +# libvirt saves these files with mode 600
> > > +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
> > >  # Make sure libvirt picks up the new nwfilter defininitons
> > >  mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
> > >  touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
> > 
> > Interesting, I have the very same hunk in a larger patch that I'm
> > working on :)
> > 
> > The change itself looks good, but shouldn't you be able to remove
> > the corresponding call from the %install section at the same time?
> > It's not like it's doing anything useful at the moment anyway.
> 
> No, it's making sure the RPM database will have the right info in it.
> That is, if you remove the part in %install, RPM will record 644 for the
> XML files and the verification will always fail afterwards.

I was not convinced this would be the case but after playing around
and understanding the %ghost directive better, I agree that we also
need to keep those lines in, so

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list