[libvirt] [PATCH] spec: Fix permissions of nwfilter XMLs
The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a %post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files in /usr/share are created with mode 0644, libvirt creates the files in /etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the RPM database, we need to chmod the files copied from /usr/share to make sure RPM verification does not complain about changed permissions. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- libvirt.spec.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index 5bd3e30509..970d2742ac 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1441,6 +1441,8 @@ rm -rf %{_localstatedir}/lib/rpm-state/libvirt || : %post daemon-config-nwfilter cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ +# libvirt saves these files with mode 600 +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml # Make sure libvirt picks up the new nwfilter defininitons mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : -- 2.21.0
On Thu, May 23, 2019 at 14:56:33 +0200, Jiri Denemark wrote:
The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a %post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files in /usr/share are created with mode 0644, libvirt creates the files in /etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the RPM database, we need to chmod the files copied from /usr/share to make sure RPM verification does not complain about changed permissions.
On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: [...]
%post daemon-config-nwfilter cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ +# libvirt saves these files with mode 600 +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml # Make sure libvirt picks up the new nwfilter defininitons mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
Interesting, I have the very same hunk in a larger patch that I'm working on :) The change itself looks good, but shouldn't you be able to remove the corresponding call from the %install section at the same time? It's not like it's doing anything useful at the moment anyway. -- Andrea Bolognani / Red Hat / Virtualization
On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote:
On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: [...]
%post daemon-config-nwfilter cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ +# libvirt saves these files with mode 600 +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml # Make sure libvirt picks up the new nwfilter defininitons mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
Interesting, I have the very same hunk in a larger patch that I'm working on :)
The change itself looks good, but shouldn't you be able to remove the corresponding call from the %install section at the same time? It's not like it's doing anything useful at the moment anyway.
No, it's making sure the RPM database will have the right info in it. That is, if you remove the part in %install, RPM will record 644 for the XML files and the verification will always fail afterwards. Jirka
On Thu, 2019-05-23 at 16:35 +0200, Jiri Denemark wrote:
On Thu, May 23, 2019 at 16:12:27 +0200, Andrea Bolognani wrote:
On Thu, 2019-05-23 at 14:56 +0200, Jiri Denemark wrote: [...]
%post daemon-config-nwfilter cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ +# libvirt saves these files with mode 600 +chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml # Make sure libvirt picks up the new nwfilter defininitons mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
Interesting, I have the very same hunk in a larger patch that I'm working on :)
The change itself looks good, but shouldn't you be able to remove the corresponding call from the %install section at the same time? It's not like it's doing anything useful at the moment anyway.
No, it's making sure the RPM database will have the right info in it. That is, if you remove the part in %install, RPM will record 644 for the XML files and the verification will always fail afterwards.
I was not convinced this would be the case but after playing around and understanding the %ghost directive better, I agree that we also need to keep those lines in, so Reviewed-by: Andrea Bolognani <abologna@redhat.com> -- Andrea Bolognani / Red Hat / Virtualization
participants (2)
-
Andrea Bolognani -
Jiri Denemark