Overview
Request 1142755 accepted
- Correct permisson files path to /usr/share/permissions/permissions.d/ (boo#1219339)
- Fix file provides of openssl and timeout
- Avoid error messages of chkstat as this tools does not
accept slashes at the end of directory paths!
- Move sendmails permissions files to /usr/share/permissions/
- Work on certificates usage of smart and relay host
- Work on certificates for running sendmail
- Created by WernerFink
- In state accepted
- Supersedes 1142725
= 1600 must be sufficient at this time. This would be ALP which is based on current TW code.
Differntiating ALP from TW at this time makes little sense
I think here lies the error.
/usr/share/permissions/permission states:
# There is a set of files with similar meaning in a SUSE installation: # /usr/share/permissions/permissions (This file) # /usr/share/permissions/permissions.easy # /usr/share/permissions/permissions.secure # /usr/share/permissions/permissions.paranoid # /etc/permissions.local # Please see the respective files for their meaning. # # # Format: # <file> <owner>:<group> <permission> # # How it works: # To change an entry copy the line to permissions.local, modify it # to suit your needs and call "chkstat --system" # # chkstat uses the variable PERMISSION_SECURITY from # /etc/sysconfig/security to determine which security level to # apply. # In addition to the central files listed above the directory # /usr/share/permissions/permissions.d/ can contain permission files # that belong to the packages they modify file modes for. These # permission files are to switch between conflicting file modes of # the same file paths in different packages (popular example: # sendmail and postfix, path /usr/sbin/sendmail).
If I understand this correctly, sendmail is supposed to install its drop-in file to /usr/share/permissions/permissions.d/
This in turn would then bring the much more correct rpmlint errors:
[ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>) [ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>) [ 92s] Packaging permissions.d drop-in snippets requires a review and whitelisting by [ 92s] the SUSE security team. If the package is intended for inclusion in any SUSE [ 92s] product please open a bug report to request review of the package by the [ 92s] security team. Please refer to [ 92s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 92s] more information.
i.e the permission files have not been approved in the new location.
[ 112s] sendmail.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/sendmail is packaged with setuid/setgid bits (02555) [ 112s] Packaging setuid/setgid binaries requires a review and whitelisting by the [ 112s] SUSE security team. If the package is intended for inclusion in any SUSE [ 112s] product please open a bug report to request review of the package by the [ 112s] security team. Please refer to [ 112s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 112s] more information.
Ah .... this package uses this setgid mail now about more than 25 years ... why has the whitelisted binary now disapeared?
The sendmail binary needs setgid mail for offline enqueue
Beside this
[ 128s] sendmail.spec:63: E: invalid-suse-version-check 1699 [ 128s] sendmail.spec:98: E: invalid-suse-version-check 1699 [ 128s] The specfile contains a comparison of %suse_version against a suse release [ 128s] that does not exist. Please double check. [ 128s]
but
werner/sendmail> osc meta prjconf openSUSE:Factory | grep suse_version %define suse_version 1699 %suse_version 1699
Request History
WernerFink created request
- Correct permisson files path to /usr/share/permissions/permissions.d/ (boo#1219339)
- Fix file provides of openssl and timeout
- Avoid error messages of chkstat as this tools does not
accept slashes at the end of directory paths!
- Move sendmails permissions files to /usr/share/permissions/
- Work on certificates usage of smart and relay host
- Work on certificates for running sendmail
anag+factory set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:F"
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
darix accepted review
Accepted review for by_group opensuse-review-team request 1142755 from user factory-auto
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:F"
anag+factory set openSUSE:Factory:Staging:I as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:I"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:I"
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:I"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:I"
anag+factory set openSUSE:Factory:Staging:I as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:I"
anag+factory accepted review
Staging Project openSUSE:Factory:Staging:I got accepted.
anag+factory approved review
Staging Project openSUSE:Factory:Staging:I got accepted.
anag+factory accepted request
Staging Project openSUSE:Factory:Staging:I got accepted.
As mentioned in https://bugzilla.opensuse.org/show_bug.cgi?id=1219339