System upgrade from FC36 to FC38 results in only ~1/3 trusted files

[tparchambault]

Observed an interesting phenomenon wrt fapolicy-analyzer displaying only ~1/3 of the ~39K files in the System Trust database as Trusted after upgrading an FC36 system to an FC38 via the official standard runtime upgrade path i.e. the user gets prompted about an FC38 upgrade being available and clicking through the acceptance/downloading/reboot sequence.

My guess is that, this is not an fapolicy-analyzer issue but I believe we do recalculate file hashes and that calculation may not align with that of the rpmdb or whatever fapolicyd is/was using. I think it's a non-issue but in the event someone else reports a similar symptom, we will have at least observed it previously.

[jw3]

@tparchambault It doesnt look like fapolicyd is running in your screenshot, so likely after you upgraded the fapolicyd database was not updated with the new rpmdb contents. Our hashes from disk are accurate, but no longer match with fapolicyd trust, so they show red.

This is not our responsibility, but @egbicker has a PR #675 that allows us to force a refresh on fapolicyd. This behavior is an example of what that PR would resolve.

[jw3]

To resolve you can either start fapolicyd, or use fapolicyd-cli to signal a trust refresh.

[tparchambault]

Good to know. Let me fire up fapolicyd... After starting fapolicyd and restarting fapolicyd-analyzer, only about two handfuls of discrepanicies in the System Trust view. All good. Thx @jw3 !