[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Panu Matilainen pmatilai at laiskiainen.org
Fri Sep 23 19:50:45 UTC 2016

On 09/23/2016 10:30 PM, Panu Matilainen wrote:
> On 09/23/2016 07:43 PM, Stefan Berger wrote:
>> Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 07:50:15
>> AM:
>>>>> So... to achieve all this and actually behave correct in the face of
>>>>> skipped files  - whether due to color, netshared path or other file
>>>>> policies - the IMA plugin should really just do what the selinux
>> plugin
>>>>> does and use fsm_file_prepare hook for its task, which after all is
>>>>> highly similar anyway.
>>>> Has the file been written when fsm_file_prepare is called? Otherwise
>> it
>>>> seems better to do it in fsm_file_post.
>>> Yes, the entire file has been created but not yet moved to its final
>>> destination. That's why it gets two path parameters: "path" for the
>>> actual current filename which has a temporary suffix, and "dest" which
>>> is the actual destination filename. So this is really the best place to
>>> do any metadata work because then the file actually ready when it gets
>>> renamed to its final distination (ie without the suffix).
>> For some mysterious reason dnf now exists in an update when I run in the
>> fsm_file_prepare hook. After that, when telling dnf to install a package,
>> it enumerates all kinds of locks that it unlocks. Do you know what may be
>> the cause for this ?
> A bug in the code, causing a crash? Like I said, what I posted is
> entirely untested, it was just to point you in the general direction.
> My first guess would be NULL fi tripping up one of the rpmfiFoo() calls,
> reading through http://rpm.org/wiki/DevelDocs/Plugins reminded me that
> fi can be NULL (on unowned directories).
> So change the start to eg:
>         /* Ignore skipped files and unowned directories */
>         if (XFA_SKIPPING(action) || fi == NULL)
>             goto exit;

Oh and BTW, for your own sanity, when debugging something rpm-related 
try to eliminate dnf/yum out of the picture if at all possible. Try 
installations and upgrades etc with plain rpm first, and once that works 
chances are it works with dnf too.

Most likely dnf ends up doing what looks like an exit on what is 
actually a segfault because the transaction callback in python + yum/dnf 
has multiple layers of crash trapping and whatnot.

	- Panu -

More information about the Rpm-maint mailing list