http://bugzilla.opensuse.org/show_bug.cgi?id=1201385 http://bugzilla.opensuse.org/show_bug.cgi?id=1201385#c17 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(dimstar@opensuse. | |org) | --- Comment #17 from Dominique Leuenberger <dimstar@opensuse.org> --- @Christian, The build of postfix currently fails with: [ 132s] -------------------------------------------------------------------- [ 132s] ERROR: chkstat --level secure modified package postfix [ 132s] Please add '%verify(not mode,...) for those to avoid listings in rpm -V. [ 132s] diff for both runs of rpm -V: [ 132s] --- //.build_rpmVp_orig 2022-08-01 13:44:14.812000000 +0000 [ 132s] +++ //.build_rpmVp_easy 2022-08-01 13:44:14.876000000 +0000 [ 132s] @@ -0,0 +1 @@ [ 132s] +.M....G.. /usr/sbin/postlog [ 132s] -------------------------------------------------------------------- [ 132s] -------------------------------------------------------------------- [ 132s] ERROR: chkstat --level paranoid modified package postfix [ 132s] Please add '%verify(not mode,...) for those to avoid listings in rpm -V. [ 132s] diff for both runs of rpm -V: [ 132s] --- //.build_rpmVp_orig 2022-08-01 13:44:14.812000000 +0000 [ 132s] +++ //.build_rpmVp_paranoid 2022-08-01 13:44:14.932000000 +0000 [ 132s] @@ -0,0 +1 @@ [ 132s] +.M....G.. /usr/sbin/postlog [ 132s] -------------------------------------------------------------------- And, indeed, /usr/sbin/postlog is not listed in the set_permissions and verify_permissions scripts sections of postfix.spec, also the files section does not correspond to this: i.e %post contains: %set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/%{name}/sasl_passwd %set_permissions %{_sbindir}/sendmail (missing /usr/sbin/postlog) %verifyscript is: %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail (again, missing postlog) and files section is %attr(0755,root,root) %{_sbindir}/postlog lacking verify (not mode, group) as the mode is adjusted by the permissions profile to 2755 and group changes to maildrop group is actually debatable why it should not be packaged as :maildrop' directly, as all security profiles (easy,secure, paranoid) set that group (rule is to set the rpm metadata to match the paranoid setting, i.e. 32+/usr/sbin/postlog root:maildrop 0755 Hope that helps -- You are receiving this mail because: You are on the CC list for the bug.