The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a
%post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files
in /usr/share are created with mode 0644, libvirt creates the files in
/etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the
RPM database, we need to chmod the files copied from /usr/share to make
sure RPM verification does not complain about changed permissions.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
libvirt.spec.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5bd3e30509..970d2742ac 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1441,6 +1441,8 @@ rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
%post daemon-config-nwfilter
cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
+# libvirt saves these files with mode 600
+chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
# Make sure libvirt picks up the new nwfilter defininitons
mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, May 23, 2019 at 14:56:33 +0200, Jiri Denemark wrote: > The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a > %post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files > in /usr/share are created with mode 0644, libvirt creates the files in > /etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the > RPM database, we need to chmod the files copied from /usr/share to make > sure RPM verification does not complain about changed permissions. https://bugzilla.redhat.com/show_bug.cgi?id=1628475 Jirka -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: [...] > %post daemon-config-nwfilter > cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ > +# libvirt saves these files with mode 600 > +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml > # Make sure libvirt picks up the new nwfilter defininitons > mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : > touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : Interesting, I have the very same hunk in a larger patch that I'm working on :) The change itself looks good, but shouldn't you be able to remove the corresponding call from the %install section at the same time? It's not like it's doing anything useful at the moment anyway. -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote: > On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: > [...] > > %post daemon-config-nwfilter > > cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ > > +# libvirt saves these files with mode 600 > > +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml > > # Make sure libvirt picks up the new nwfilter defininitons > > mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : > > touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : > > Interesting, I have the very same hunk in a larger patch that I'm > working on :) > > The change itself looks good, but shouldn't you be able to remove > the corresponding call from the %install section at the same time? > It's not like it's doing anything useful at the moment anyway. No, it's making sure the RPM database will have the right info in it. That is, if you remove the part in %install, RPM will record 644 for the XML files and the verification will always fail afterwards. Jirka -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, 2019-05-23 at 16:35 +0200, Jiri Denemark wrote: > On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote: > > On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: > > [...] > > > %post daemon-config-nwfilter > > > cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ > > > +# libvirt saves these files with mode 600 > > > +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml > > > # Make sure libvirt picks up the new nwfilter defininitons > > > mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : > > > touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : > > > > Interesting, I have the very same hunk in a larger patch that I'm > > working on :) > > > > The change itself looks good, but shouldn't you be able to remove > > the corresponding call from the %install section at the same time? > > It's not like it's doing anything useful at the moment anyway. > > No, it's making sure the RPM database will have the right info in it. > That is, if you remove the part in %install, RPM will record 644 for the > XML files and the verification will always fail afterwards. I was not convinced this would be the case but after playing around and understanding the %ghost directive better, I agree that we also need to keep those lines in, so Reviewed-by: Andrea Bolognani <abologna@redhat.com> -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.