File 0001-rhel-Use-correct-user-in-the-logrotate-configuration.patch of Package openvswitch.10111
From a54d09f62a797c860deeef86725c0e7aa387c788 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Wed, 8 Aug 2018 17:27:25 +0300
Subject: [PATCH] rhel: Use correct user in the logrotate configuration file
The /var/log/openvswitch directory is owned by the openvswitch user but
logrotate could be running as root or as another user. As a result of
which, rpmlint prints the following warning when building the spec file
on SUSE Linux Enterprise:
openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir /var/log/openvswitch openvswitch:openvswitch 0750
The log directory is writable by unprivileged users. Please fix the
permissions so only root can write there or add the 'su' option
to your logrotate config
In order to fix that, we should run the logrotate script as the same
user which runs the various Open vSwitch daemons. If this is a new
installation, then this user is the 'openvswitch' one, but if we are
upgrading from an older release, then the user is normally 'root'.
As such, we set the initial user to 'root' and we fix this up in the
%post scriptlet.
Cc: Aaron Conole <aconole@redhat.com>
Cc: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
(cherry picked from commit b096fa42ddc2ed69fa86b60a501bd3c34e767b7f)
Signed-off-by: Markos Chandras <mchandras@suse.de>
---
rhel/etc_logrotate.d_openvswitch | 1 +
rhel/openvswitch-fedora.spec.in | 5 +++--
rhel/usr_lib_systemd_system_ovsdb-server.service | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/rhel/etc_logrotate.d_openvswitch b/rhel/etc_logrotate.d_openvswitch
index ed7d733c9..f4302ffbc 100644
--- a/rhel/etc_logrotate.d_openvswitch
+++ b/rhel/etc_logrotate.d_openvswitch
@@ -6,6 +6,7 @@
# without warranty of any kind.
/var/log/openvswitch/*.log {
+ su root root
daily
compress
sharedscripts
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 8663a5129..b09956a56 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -388,6 +388,7 @@ if [ $1 -eq 1 ]; then
useradd -r -d / -s /sbin/nologin -c "Open vSwitch Daemons" openvswitch
sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
+ sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' %{_sysconfdir}/logrotate.d/openvswitch
%if %{with dpdk}
getent group hugetlbfs >/dev/null || \
@@ -400,6 +401,7 @@ if [ $1 -eq 1 ]; then
# In the case of upgrade, this is not needed.
chown -R openvswitch:openvswitch /etc/openvswitch
+ chown -R openvswitch:openvswitch /var/log/openvswitch
fi
%if 0%{?systemd_post:1}
@@ -577,8 +579,7 @@ fi
%{_prefix}/lib/udev/rules.d/91-vfio.rules
%endif
%doc COPYING NOTICE README.rst NEWS rhel/README.RHEL.rst
-/var/lib/openvswitch
-%attr(755,-,-) /var/log/openvswitch
+%attr(750,root,root) /var/log/openvswitch
%ghost %attr(755,root,root) %{_rundir}/openvswitch
%files ovn-docker
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 7acd25f78..123d14b2b 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -10,7 +10,7 @@ Type=forking
Restart=on-failure
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
-ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
+ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovs-vswitchd --no-monitor --system-id=random \
--ovs-user=${OVS_USER_ID} \
--
2.16.4
