The *pesign* key database requires manually changing permissions to enable improved access permission controls
The *pesign* key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access.
However, a known issue in permission settings in *pesign* currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to *pesign* manually:
chmod 0660 /etc/pki/pesign/*
chmod 0770 /etc/pki/pesign
After setting these permissions, the improved access control will become available. If you do not perform these steps, *pesign* behavior will be identical to previous releases.
Created attachment 936989[details]
add code for behavior
Description of problem: The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder. The systemd unit, however, does not.
I've built a more general solution for both the sysvinit and systemd unit that should allow for greater flexibility and compat behavior.
Version-Release number of selected component (if applicable):pesign-0.109-6.el7
How reproducible:100%
Steps to Reproduce:
1.search for way to set acls under systemd unit like the sysvinit script
2.unable to locate
3.
Actual results:
the EPEL6 package sets ACLS for kojibuilder, but the EL7 package does not and has no provided solution
Expected results:
similar behavior between sysvinit script and systemd unit
Additional info:
Attached patches resolve
Also,
http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
During the testing we found a mistake:
there is simple patch like:
chmod 0660 /etc/pki/pesign/* ; chmod 0770 /etc/pki/pesign
without this change this bug is not fixed, it works the same way as it works before.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-2384.html