Bug 1770120

Summary: update-crypto-policies located in wrong directory
Product: Red Hat Enterprise Linux 8 Reporter: Andreas Bleischwitz <ableisch>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.1CC: nmavrogi
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-08 09:03:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andreas Bleischwitz 2019-11-08 08:39:05 UTC
Description of problem:
The command "update-crypto-policies" is currently located in /usr/bin - implying a user executeable command. When running this command as a regular user, a error message is raised:

# update-crypto-policies 
Setting system policy to DEFAULT
rm: cannot remove '/etc/crypto-policies/back-ends/bind.config': Permission denied
ln: failed to create symbolic link '/etc/crypto-policies/back-ends/bind.config': Permission denied
Failed updating policies, are you root?


Version-Release number of selected component (if applicable):
% rpm -qf /usr/bin/update-crypto-policies
crypto-policies-20181217-6.git9a35207.el8.noarch


How reproducible:
Always

Steps to Reproduce:
1. execute "update-crypto-policies" as a regular user
2. see the reported error message, indicating lack of permissions
3.

Actual results:
# update-crypto-policies 
Setting system policy to DEFAULT
rm: cannot remove '/etc/crypto-policies/back-ends/bind.config': Permission denied
ln: failed to create symbolic link '/etc/crypto-policies/back-ends/bind.config': Permission denied
Failed updating policies, are you root?

Expected results:
update-crypto-policies not visible to regular users (i.e. residing in /usr/sbin rather than /usr/bin)

Additional info:

Comment 1 Tomas Mraz 2019-11-08 09:03:33 UTC
The read-only commands (--show and --is-applied) will work even for regular user.
I do not think we want to move the command.

Comment 2 Andreas Bleischwitz 2019-11-08 09:51:25 UTC
Thank you Tomas for pointing that out. I really should have validated that use-case prior opening the BZ.

Comment 3 Tomas Mraz 2019-11-08 10:02:37 UTC
No problem.