1141263 – [RFE] more pluggable way of setting pesign permissions

Bug 1141263 - [RFE] more pluggable way of setting pesign permissions

Summary: [RFE] more pluggable way of setting pesign permissions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pesign
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Jones
QA Contact:	Radka Skvarilova
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks:	1191019
TreeView+	depends on / blocked

Reported:	2014-09-12 14:44 UTC by Pat Riehecky
Modified:	2017-04-11 14:01 UTC (History)
CC List:	11 users (show)
Fixed In Version:	pesign-0.109-10.el7
Doc Type:	Known Issue
Doc Text:	The pesign key database requires manually changing permissions to enable improved access permission controls The pesign key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access. However, a known issue in permission settings in pesign currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to pesign manually: chmod 0660 /etc/pki/pesign/* chmod 0770 /etc/pki/pesign After setting these permissions, the improved access control will become available. If you do not perform these steps, pesign behavior will be identical to previous releases.
Clone Of:
Environment:
Last Closed:	2016-11-04 05:04:23 UTC
Target Upstream Version:

Attachments	(Terms of Use)
add code for behavior (2.79 KB, text/plain) 2014-09-12 14:44 UTC, Pat Riehecky	no flags	Details
Spec file updates for previous patch (1.11 KB, patch) 2014-09-12 14:45 UTC, Pat Riehecky	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2384	normal	SHIPPED_LIVE	pesign enhancement update	2016-11-03 13:53:11 UTC

Description Pat Riehecky 2014-09-12 14:44:38 UTC

Created attachment 936989 [details]
add code for behavior

Description of problem: The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd unit that should allow for greater flexibility and compat behavior. 


Version-Release number of selected component (if applicable):pesign-0.109-6.el7


How reproducible:100%


Steps to Reproduce:
1.search for way to set acls under systemd unit like the sysvinit script
2.unable to locate
3.

Actual results:
the EPEL6 package sets ACLS for kojibuilder, but the EL7 package does not and has no provided solution

Expected results:
similar behavior between sysvinit script and systemd unit

Additional info:
Attached patches resolve
Also,
http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

Comment 1 Pat Riehecky 2014-09-12 14:45:05 UTC

Created attachment 936990 [details]
Spec file updates for previous patch

Comment 8 Radka Skvarilova 2016-09-29 15:58:25 UTC

During the testing we found a mistake:

there is simple patch like:

chmod 0660 /etc/pki/pesign/* ; chmod 0770 /etc/pki/pesign

without this change this bug is not fixed, it works the same way as it works before.

Comment 20 errata-xmlrpc 2016-11-04 05:04:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2384.html

Note You need to log in before you can comment on or make changes to this bug.