Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-94786

/usr/lib/rpm/redhat/redhat-annobin-cc1 is not trusted

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.6, rhel-10.0
    • fapolicyd
    • No
    • Low
    • 1
    • rhel-security-selinux
    • ssg_security
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • SELINUX 251119: 15
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      This is somehow similar to RHEL-94661.
      When installing or updating annobin package, the file /usr/lib/rpm/redhat/redhat-annobin-cc1 shipped by dependent package redhat-rpm-config becomes untrusted:

      # fapolicyd-cli --check-trustdb 
[...]
/usr/lib/rpm/redhat/redhat-annobin-cc1 miscompares: size sha256
[...]

      This occurs because the file is initially shipped by redhat-rpm-config package as a plain file, but there is a triggerin scriptlet in redhat-rpm-config executing /usr/lib/rpm/redhat/redhat-annobin-plugin-select.sh which changes the plain file as a symlink:

      # ls -l /usr/lib/rpm/redhat/redhat-annobin-cc1
lrwxrwxrwx. 1 root root 38 Jun  2 13:16 /usr/lib/rpm/redhat/redhat-annobin-cc1 -> redhat-annobin-select-gcc-built-plugin

              rhn-engineering-plautrba Petr Lautrbach
              rhn-support-rmetrich Renaud Métrich
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: