Re: f41 rpm -i ~/systemd-256.6-1.fc41.src.rpm fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2024-10-08 at 12:14 +0300, Panu Matilainen wrote:
> On 10/6/24 12:42 AM, Barry wrote:
> > 
> > 
> > > On 5 Oct 2024, at 18:32, Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
> > > 
> > > On the other hand, the error message you're seeing is from the IMA plugin. So I assume you've enabled rpm-plugin-ima?
> > 
> > This a f39 aarch64 upgraded to f40 then f41 with no customisations.
> > (There are no f40 or f41 iso so i have to do this dance).
> > 
> > I have never heard of ima plugin and did not install it deliberately.
> 
> There's several things wrong in here.
> 
> 1) The packaging around ima-evm-utils has changed recently it seems: the 
> library part was split to -libs subpackage which is good, but previously 
> since rpm-sign-libs dependency dragged the main package in, it's 
> installed on a lot of systems. And now the main ima-evm-utils added a 
> dependency on rpm-plugin-ima which has all manner of implications that 
> just having some tools or libraries installed does not, and should not 
> have. That dependency will need to be removed or further split off to 
> something people wont get installed by default.
> 
> the library part was split to a -libs subpackage which is good, bu
> 1) ima-evm-utils recently added a dependency on rpm-plugin-ima, and this 
> seems wrong because having the plugin installed implies all manner of 
> things that having ima-evm-utils does not. The
> 
> 2) IMA signature don't make any sense on src.rpm files - so Fedora 
> shouldn't be signing them, and rpm shouldn't let them
> 
> 3) Even if the assertions in 2 fail and you somehow end up with an 
> src.rpm with IMA signatures on it, rpm should not barf up on it like this.
> 
> There's a bug for 2-3 at 
> https://bugzilla.redhat.com/show_bug.cgi?id=2316785, I'll need to file 
> another to sort the ima-evm-utils packaging.

+ Mimi

I think the problem is that the IMA rpm plugin is trying to set the
security.ima xattr for the file being installed, but it can't because
this operation requires root privileges (CAP_SYS_ADMIN), and the SRPM
is installed as regular user.

Of course, it does not make too much sense to apply signatures on
source files.

Roberto

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux