Installing a package breaks unrelated package - how to debug RPM scripts?

Ask Fedora
,
1

On Fedora 44: My named a.k.a bind program (a DNS resolver) could not load some zones. It was caused by incorrect group owner of /usr/share/named (was root, should be named). I corrected it, but later it happened again. I started to investigate who is changing the ownership of that dir.

Its ctime exactly corresponds to the time a DNF upgrade was running. I can now reproduce it:

  1. verify that the GID of /usr/share/named is the named group
  2. run dnf reinstall man-db
  3. now the GID of /usr/share/named is the root group!

Further I was able to verify that the triggered RPM scripts are to blame. I guess either glibc-common or systemd are doing it. It is very unlikely, that man-db has something to do with that directory.

callback start %triggerin scriptlet "glibc-common-0:2.43-5.fc44.x86_64"
callback stop %triggerin scriptlet "glibc-common-0:2.43-5.fc44.x86_64" return code 0
callback start %triggerin scriptlet "systemd-0:259.5-1.fc44.x86_64"
callback stop %triggerin scriptlet "systemd-0:259.5-1.fc44.x86_64" return code 0
callback start %triggerin scriptlet "systemd-0:259.5-1.fc44.x86_64"
callback stop %triggerin scriptlet "systemd-0:259.5-1.fc44.x86_64" return code 0
....

And this is where I stopped. I don’t know how to check those scriplets and I don’t have much free time for this issue.

Normaly I would file a bug, but don’t know against which component.

I would appreciate if someone could continue tracking the bug down. Or at least answer the question from the title - how to debug those “scriplets”?

2

you can use rpm -q --scripts packagename to dump the scripts on screen

the same for triggers, rpm -q --triggers packagename

3

I see root:root ownership but my chroot-named.service runs without error.
The ownership being root:root does not stop named as it does not need to write to that folder.

Which named service are you using and where are your zone files stored?

4

I’m also using named-chroot. Zones not loaded are the built-in zones. You might not notice the problem at all without checking the logs. Here is a log snippet where it all started:

15.05.2026 00:54:01.197 named: zone 1.0.0.127.in-addr.arpa/IN/internal: loading from master file /usr/share/named/named.loopback failed: permission denied
15.05.2026 00:54:01.213 named: zone 1.0.0.127.in-addr.arpa/IN/internal: not loaded due to errors.
15.05.2026 00:54:01.214 named: zone 0.in-addr.arpa/IN/internal: loading from master file /usr/share/named/named.empty failed: permission denied
15.05.2026 00:54:01.214 named: zone 0.in-addr.arpa/IN/internal: not loaded due to errors.
15.05.2026 00:54:01.214 named: zone localhost.localdomain/IN/internal: loading from master file /usr/share/named/named.localhost failed: permission denied
15.05.2026 00:54:01.214 named: zone localhost.localdomain/IN/internal: not loaded due to errors.
15.05.2026 00:54:01.214 named: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal: loading from master file /usr/share/named/named.loopback failed: permission denied
15.05.2026 00:54:01.214 named: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal: not loaded due to errors.
15.05.2026 00:54:01.219 named: zone localhost/IN/internal: loading from master file /usr/share/named/named.localhost failed: permission denied
15.05.2026 00:54:01.219 named: zone localhost/IN/internal: not loaded due to errors.

The directory has mode 0750 (rwxr-x—), intended owner root:named, so named should be able to read files from there, but not write. You can also check with the rpm -qV bind command.

5

Here is what my log looks like.

2026-05-22T12:23:52+01:00 named[1135]: automatic empty zone: HOME.ARPA
2026-05-22T12:23:52+01:00 named[1135]: automatic empty zone: RESOLVER.ARPA
2026-05-22T12:23:52+01:00 named[1135]: command channel listening on 127.0.0.1#953
2026-05-22T12:23:52+01:00 named[1135]: command channel listening on ::1#953
2026-05-22T12:23:52+01:00 named[1135]: managed-keys-zone: loaded serial 1086
2026-05-22T12:23:52+01:00 named[1135]: zone 0.in-addr.arpa/IN: loaded serial 0
2026-05-22T12:23:52+01:00 named[1135]: zone 1.17.172.IN-ADDR.ARPA/IN: loaded serial 13601
2026-05-22T12:23:52+01:00 named[1135]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
2026-05-22T12:23:52+01:00 named[1135]: zone internal/IN: loaded serial 20957
2026-05-22T12:23:52+01:00 named[1135]: zone localhost/IN: loaded serial 0
2026-05-22T12:23:52+01:00 named[1135]: zone 2.17.172.IN-ADDR.ARPA/IN: loaded serial 12001
2026-05-22T12:23:52+01:00 named[1135]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
2026-05-22T12:23:52+01:00 named[1135]: zone home/IN: loaded serial 12001
2026-05-22T12:23:52+01:00 named[1135]: zone localhost.localdomain/IN: loaded serial 0
2026-05-22T12:23:52+01:00 systemd[1]: Started named-chroot.service - Berkeley Internet Name Domain (DNS).
6

My named.conf does not reference thoses files in /usr/shared/named.

7

Yesterday I managed to find the command doing it, it’s systemd-tmpfiles --create. It changes the group of my /usr/share/named. The funny thing is, that --dry-run does not show it, nor could I find something related in the configuration. To be continued…

8

You can find the .conf file responsible for this by this command

grep -Fr /usr/share/named /etc/tmpfiles.d/ /run/tmpfiles.d/ /usr/local/lib/tmpfiles.d/ /usr/lib/tmpfiles.d/ ~/.config/user-tmpfiles.d/ $XDG_RUNTIME_DIR/user-tmpfiles.d/ ~/.local/share/user-tmpfiles.d/ /usr/local/share/user-tmpfiles.d/ /usr/share/user-tmpfiles.d/
9

Side note: I’m a new user here. With new informations arriving during the discussion, the topic drifted from RPM scriplets to named/bind file permissions. Should I change the title? Should I start a new thread? Thanks.

10

I think you have found a bug that the permission and ownership is not set correctly. Please report that to Fedora against the bind package. See Making sure you're not a bot!

The named config is likely down to your requirements and my requirements being different. We could named config in a new topic and see what we discover.

11

This bind-chroot.tmpfiles.d file in the bind package specifies a bunch of ownership changes for systemd-tmpfiles to perform.

The targets are all under /var/named, but is it possible that those paths on your install symlink back to /usr/share, like for the reporter of this bug?

12

Re what @pg-tips found this is what I see in my /var/named

:  14:52:46   folon  /var/named
: [1] root $ ls -l /var/named
total 380
drwxr-x---. 8 root  named     73 Apr  7 01:00 chroot/
drwxrwx---. 2 named named   4096 May 24 13:15 data/
drwxrwx---. 2 named named     60 May 24 12:24 dynamic/
lrwxrwxrwx. 1 root  named     18 Apr  7 01:00 named.ca -> ../../etc/named.ca
lrwxrwxrwx. 1 root  named     33 Apr  7 01:00 named.empty -> ../../usr/share/named/named.empty
lrwxrwxrwx. 1 root  named     37 Apr  7 01:00 named.localhost -> ../../usr/share/named/named.localhost
lrwxrwxrwx. 1 root  named     36 Apr  7 01:00 named.loopback -> ../../usr/share/named/named.loopback
-rw-r--r--. 1 named named 384443 Dec 13  2024 named.run
drwxrwx---. 2 named named      6 Apr  7 01:00 slaves/

:  14:52:55   folon  /var/named
: [1] root $ sudo -u named cat /var/named/named.localhost
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1

This is on a system that I did a new install as F43 - not running f44 yet.
Edit: Just upgrade to f44 and it’s the same.

13

Can you post sudo ls -lR /var/named/chroot/usr/share

Thanks

14

Notice that when named runs with chroot /var/named/chroot, the file names as reported by named are without the /var/named/chroot/ prefix. So when named looks at the file /usr/share/named it is really looking at /var/named/chroot/usr/share/named and not /usr/share/named.

15

Oh yeah right…

$ rpm -qf /var/named/chroot/usr/share/named/named.empty
bind-9.18.48-1.fc44.x86_64

And the permissions and ownership are as the OP expected on my system.

16

I could not dedicate my time to this issue today. I did not even read all posts thoroughly yet. It looks like your findings are similar to mine, but one thing I’d like to add is that /var/named/chroot/usr/share/named is identical to usr/share/named via mount --bind. So changing the ownership of former by systemd-tmpfiles effectively changes the latter.

17

As a temporary workaround

sudo tee /etc/tmpfiles.d/bind-chroot-override.conf << EOF > /dev/null 
Z /var/named/chroot/usr/share/named 0750 root named -
EOF
18

That is the important point. The bind mounts are all set up using the setup-named-chroot.sh script called from named-chroot-setup.service.

I don’t know why /usr/lib/tmpfiles.d/bind-chroot.conf was created, but it seems to me to be entirely unnecessary as all the directories it would create are all provided by the bind-chroot package and need not be re-created at boot time.

I would suggest to mask this file like so

ln -s /dev/null /etc/tmpfiles.d/bind-chroot.conf

and also file a bug report.

19

By the way, the rpm script responsible for relabeling the file is a file trigger in the systemd package. This means, that whenever a file is installed or modified in the directory /usr/lib/tmpfiles.d/ the command systemd-tmpfiles --create is run.

To see the script, run the command

 rpm -q --filetriggers systemd
20

I’d like to thank to everybody who helped.