Bug 1141263

Summary: [RFE] more pluggable way of setting pesign permissions
Product: Red Hat Enterprise Linux 7 Reporter: Pat Riehecky <riehecky>
Component: pesignAssignee: Peter Jones <pjones>
Status: CLOSED ERRATA QA Contact: Radka Brychtova <rskvaril>
Severity: unspecified Docs Contact: Petr Bokoc <pbokoc>
Priority: high    
Version: 7.2CC: csieh, jscotka, lkuprova, lmiksik, ovasik, pbokoc, pholica, pjones, psklenar, rskvaril, salmy
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pesign-0.109-10.el7 Doc Type: Known Issue
Doc Text:
The *pesign* key database requires manually changing permissions to enable improved access permission controls The *pesign* key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access. However, a known issue in permission settings in *pesign* currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to *pesign* manually: chmod 0660 /etc/pki/pesign/* chmod 0770 /etc/pki/pesign After setting these permissions, the improved access control will become available. If you do not perform these steps, *pesign* behavior will be identical to previous releases.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:04:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1191019    
Attachments:
Description Flags
add code for behavior
none
Spec file updates for previous patch none

Description Pat Riehecky 2014-09-12 14:44:38 UTC 
Created attachment 936989 [details]
add code for behavior

Description of problem: The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd unit that should allow for greater flexibility and compat behavior. 


Version-Release number of selected component (if applicable):pesign-0.109-6.el7


How reproducible:100%


Steps to Reproduce:
1.search for way to set acls under systemd unit like the sysvinit script
2.unable to locate
3.

Actual results:
the EPEL6 package sets ACLS for kojibuilder, but the EL7 package does not and has no provided solution

Expected results:
similar behavior between sysvinit script and systemd unit

Additional info:
Attached patches resolve
Also,
http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
Comment 1 Pat Riehecky 2014-09-12 14:45:05 UTC 
Created attachment 936990 [details]
Spec file updates for previous patch
Comment 8 Radka Brychtova 2016-09-29 15:58:25 UTC 
During the testing we found a mistake:

there is simple patch like:

chmod 0660 /etc/pki/pesign/* ; chmod 0770 /etc/pki/pesign

without this change this bug is not fixed, it works the same way as it works before.
Comment 20 errata-xmlrpc 2016-11-04 05:04:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2384.html