On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
Hi *,
I have a few question regarding the files /etc/permissions* and chkstat on a Tumbleweed system:
According to the man pages and docs, chkstat is called whenever a configuration change was made. And chkstat should look into /etc/sysconfig/security to find the permissions.<type> file(s) to use.
I have configured
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="yes"
in my /etc/sysconfig/security file so chstat should use
/etc/permissions.easy and /etc/permissions.local
and it should honour capability settings in these files.
In /etc/permissions.local I have
/usr/bin/gnome-keyring-daemon root:root 0755 +capabilities cap_ipc_lock=+ep
But everytime an update for the gnome-keyring package gets installed, the keyring daemon misses the configured capabilities.
So obviously chkstat isn't called in this case.
What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat?
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this. chkstat is not explicitly run excepting from %post and %verify scripts these days. gnome-keyring-daemon is not set up for it at this time, so either it gets added there or you have to run chkstat --system after every update of gnome-keyring-daemon. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org