Bug 1141263 - [RFE] more pluggable way of setting pesign permissions
Summary: [RFE] more pluggable way of setting pesign permissions
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pesign
Version: 7.2
Hardware: x86_64
OS: Linux
high
unspecified
Target Milestone: rc
: ---
Assignee: Peter Jones
QA Contact: Radka Skvarilova
Petr Bokoc
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1191019
TreeView+ depends on / blocked
 
Reported: 2014-09-12 14:44 UTC by Pat Riehecky
Modified: 2017-04-11 14:01 UTC (History)
11 users (show)

(edit)
The *pesign* key database requires manually changing permissions to enable improved access permission controls

The *pesign* key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access. 

However, a known issue in permission settings in *pesign* currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to *pesign* manually:

   chmod 0660 /etc/pki/pesign/*
   chmod 0770 /etc/pki/pesign

After setting these permissions, the improved access control will become available. If you do not perform these steps, *pesign* behavior will be identical to previous releases.
Clone Of:
(edit)
Last Closed: 2016-11-04 05:04:23 UTC


Attachments (Terms of Use)
add code for behavior (2.79 KB, text/plain)
2014-09-12 14:44 UTC, Pat Riehecky
no flags Details
Spec file updates for previous patch (1.11 KB, patch)
2014-09-12 14:45 UTC, Pat Riehecky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2384 normal SHIPPED_LIVE pesign enhancement update 2016-11-03 13:53:11 UTC

Description Pat Riehecky 2014-09-12 14:44:38 UTC
Created attachment 936989 [details]
add code for behavior

Description of problem: The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd unit that should allow for greater flexibility and compat behavior. 


Version-Release number of selected component (if applicable):pesign-0.109-6.el7


How reproducible:100%


Steps to Reproduce:
1.search for way to set acls under systemd unit like the sysvinit script
2.unable to locate
3.

Actual results:
the EPEL6 package sets ACLS for kojibuilder, but the EL7 package does not and has no provided solution

Expected results:
similar behavior between sysvinit script and systemd unit

Additional info:
Attached patches resolve
Also,
http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

Comment 1 Pat Riehecky 2014-09-12 14:45:05 UTC
Created attachment 936990 [details]
Spec file updates for previous patch

Comment 8 Radka Skvarilova 2016-09-29 15:58:25 UTC
During the testing we found a mistake:

there is simple patch like:

chmod 0660 /etc/pki/pesign/* ; chmod 0770 /etc/pki/pesign

without this change this bug is not fixed, it works the same way as it works before.

Comment 20 errata-xmlrpc 2016-11-04 05:04:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2384.html


Note You need to log in before you can comment on or make changes to this bug.