Config files modified or incorrect mode in RPM verify after installation #3723
Description
What happened?
On a RHEL 9.6 system, after running sudo dnf install crowdsec crowdsec-firewall-bouncer-nftables, rpm -Va shows:
S.5....T. c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
.M....... g /etc/crowdsec/acquis.yaml
.M....... g /etc/crowdsec/hub/.index.json
.M....... g /etc/crowdsec/local_api_credentials.yaml
.M....... g /etc/crowdsec/online_api_credentials.yaml
.M....... g /var/log/crowdsec.log
crowdsec-firewall-bouncer.yaml shows up here because it is modified by the postinstall script. Also, during upgrade, an .rpmnew file is always created and during removal, an .rpmsave file. Neither is desirable. RPM scripts could write .yaml.local files during autoconfiguration instead to avoid this, although substituting ${BACKEND} is not really a local change, but something that should be done during creation of the crowdsec-firewall-bouncer-* packages.
I could not figure out what mode RPM expects for the other files.
What did you expect to happen?
rpm -Va should show no modifications right after installation.
How can we reproduce it (as minimally and precisely as possible)?
sudo dnf install crowdsec crowdsec-firewall-bouncer-nftables`
rpm -Va
Anything else we need to know?
No response
Crowdsec version
$ cscli version
version: v1.6.9-rpm-pragmatic-amd64-40b8cfe6
Codename: alphaga
BuildDate: 2025-06-17_14:01:15
GoVersion: 1.24.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.9-rpm-pragmatic-amd64-40b8cfe6-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
OS version
# On Linux:
$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.6 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.6"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.6 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
VENDOR_NAME="RESF"
VENDOR_URL="https://resf.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.6"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.6"
$ uname -a
Linux hostname 5.14.0-570.23.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 26 19:29:53 UTC 2025 x86_64 x86_64 x86_64 GNU/LinuxEnabled collections and parsers
No response
Acquisition config
Config show
Prometheus metrics
No response