fix: Make subscription-manager RPM protected on RHEL

[jirihnidek]

• Card ID: RHEL-7172
• The dnf has concept of protected RPM packages. All protected packages should have configuration files in /etc/dnf/protected.d/ directory.
• Added simple configuration file containing subscription-manager
• Modified .spec file to install this file only on RHEL

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a DNF protected package configuration for subscription-manager and ensures it is installed and owned correctly on RHEL builds only.

File-Level Changes

Change	Details	Files
Install a DNF protected package configuration for subscription-manager only on RHEL builds during RPM installation.	Wrap installation of the subscription-manager protected.d config file in an %if 0%{?rhel} conditional so it only applies to RHEL builds Install the new subscription-manager.conf from the builddir into %{buildroot}%{_sysconfdir}/dnf/protected.d/subscription-manager.conf during %install	subscription-manager.spec
Ensure the protected DNF configuration file is packaged with correct ownership and config semantics on RHEL.	Guard the %files entry for the protected.d subscription-manager.conf with %if 0%{?rhel} so it is only included on RHEL RPMs Mark the file as %config(noreplace) with mode 644 and root ownership in the %files section	subscription-manager.spec
Provide the concrete DNF protected package configuration that declares subscription-manager as protected.	Add new config file declaring subscription-manager as a protected DNF package in etc-conf/protected.d/subscription-manager.conf	etc-conf/protected.d/subscription-manager.conf

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The install step assumes %{_sysconfdir}/dnf/protected.d already exists; consider adding a mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d guarded by the same %if to avoid install-time failures on systems where this directory is not present.
• If this config is only meaningful when dnf is used, consider aligning the %if 0%{?rhel} guards with the existing %if %{use_dnf} logic so that the protected package configuration is not installed on RHEL builds that don’t enable dnf.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The install step assumes `%{_sysconfdir}/dnf/protected.d` already exists; consider adding a `mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d` guarded by the same `%if` to avoid install-time failures on systems where this directory is not present.
- If this config is only meaningful when dnf is used, consider aligning the `%if 0%{?rhel}` guards with the existing `%if %{use_dnf}` logic so that the protected package configuration is not installed on RHEL builds that don’t enable dnf.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[jirihnidek]

How to test it:

$ sudo dnf -y install <path_to_sub_man_rhel_build_from_this_PR>
$ sudo dnf remove subscription-manager

The dnf should not allow to remove subscription-manager from the system.

Note: The subscription-manager should be added to the list of protected packages only on RHEL, it should not happen on CentOS Stream nor Fedora.

Related documentation: https://access.redhat.com/solutions/6621501

[mjcr99]

LGTM

Test custom build:

[vagrant@lv-rhel101 subscription-manager]$ sudo dnf install /tmp/tito/x86_64/*
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:43 ago on Thu Feb 19 08:43:06 2026.
Dependencies resolved.
===================================================================================
 Package                    Arch   Version                      Repository    Size
===================================================================================
Installing:
 libdnf-plugin-subscription-manager-debuginfo
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  65 k
 python3-subscription-manager-rhsm-debuginfo
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  46 k
 subscription-manager-debuginfo
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  50 k
 subscription-manager-debugsource
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  53 k
 subscription-manager-plugin-ostree
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  48 k
Upgrading:
 libdnf-plugin-subscription-manager
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  43 k
 python3-cloud-what         x86_64 1.30.12-1.git.4.9bab559.el10 @commandline  69 k
 python3-subscription-manager-rhsm
                            x86_64 1.30.12-1.git.4.9bab559.el10 @commandline 177 k
 subscription-manager       x86_64 1.30.12-1.git.4.9bab559.el10 @commandline 844 k

...

Upgraded:
  libdnf-plugin-subscription-manager-1.30.12-1.git.4.9bab559.el10.x86_64           
  python3-cloud-what-1.30.12-1.git.4.9bab559.el10.x86_64                           
  python3-subscription-manager-rhsm-1.30.12-1.git.4.9bab559.el10.x86_64            
  subscription-manager-1.30.12-1.git.4.9bab559.el10.x86_64                         
Installed:
  libdnf-plugin-subscription-manager-debuginfo-1.30.12-1.git.4.9bab559.el10.x86_64 
  python3-subscription-manager-rhsm-debuginfo-1.30.12-1.git.4.9bab559.el10.x86_64  
  subscription-manager-debuginfo-1.30.12-1.git.4.9bab559.el10.x86_64               
  subscription-manager-debugsource-1.30.12-1.git.4.9bab559.el10.x86_64             
  subscription-manager-plugin-ostree-1.30.12-1.git.4.9bab559.el10.x86_64           

Complete!

After it, the package is not allowed to be removed:

[vagrant@lv-rhel101 subscription-manager]$ sudo dnf remove subscription-manager
Updating Subscription Management repositories.
Error: 
 Problem: The operation would result in removing the following protected packages: subscription-manager
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

And the newly added file in the SPEC file is correctly installed:

[vagrant@lv-rhel101 subscription-manager]$ ls /etc/dnf/protected.d/subscription-manager.conf 
/etc/dnf/protected.d/subscription-manager.conf

[jirihnidek]

@jsefler It will be also possible to remove subscription-manager RPM, when you the /etc/dnf/protected.d/subscription-manager.conf is removed (not only using rpm command). Thus, following command would remove sub-man:

$ sudo rm -f /etc/dnf/protected.d/subscription-manager.conf
$ sudo dnf remove subscription-manager