Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packages: fix permissions for /var/lib/systemd/random-seed #1656

Merged
merged 1 commit into from
Jul 16, 2021
Merged

packages: fix permissions for /var/lib/systemd/random-seed #1656

merged 1 commit into from
Jul 16, 2021

Conversation

arnaldo2792
Copy link
Contributor

@arnaldo2792 arnaldo2792 commented Jul 14, 2021
edited
Loading

Issue number:
N / A

Description of changes:

1176e7dc packages: fix permissions for /var/lib/systemd/random-seed

This commit changes the permissions on /var/lib/systemd/random-seed from 755 to 600, and SELinux label from state_t to secret_t, so that only the root user can read from the file.

Testing done:

  • Verified the permissions changed:
# previous permissions
bash-5.0# ls -lZ /var/lib/systemd
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0 4096 Jul 14 21:22 catalog
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0 4096 Jul 14 21:22 coredump
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0 4096 Jul 14 21:22 pstore
-rwxr-xr-x. 1 root root system_u:object_r:state_t:s0  512 Jul 14 21:22 random-seed
# new permissions
bash-5.0# ls -lZ /var/lib/systemd/
total 20
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0  4096 Jul 16 03:27 catalog
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0  4096 Jul 16 03:27 coredump
drwxr-xr-x. 2 root root system_u:object_r:state_t:s0  4096 Jul 16 03:27 pstore
-rw-------. 1 root root system_u:object_r:secret_t:s0  512 Jul 16 03:27 random-seed
  • Launch task in x86_64 aws-ecs-1
  • Launch pod in x86_64 aws-k8s-1.19, -1.20

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey
bcressey reviewed Jul 15, 2021
View reviewed changes
packages/systemd/var-run-tmpfiles.conf
@@ -2,3 +2,4 @@ d /run/cache 0755 root root -
d /run/lock 0755 root root -
L /var/lock - - - - /run/lock
Z /var/lib/systemd 0755 root root -
z /var/lib/systemd/random-seed 600 root root -
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also label this secret_t by adding an entry to packages/selinux-policy/fs.cil.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@arnaldo2792
packages: fix permissions for /var/lib/systemd/random-seed
1176e7d 
This commit changes the permissions on `/var/lib/systemd/random-seed`
from `755` to `600`, and SELinux label from `state_t` to `secret_t`, so
that only the root user can read from the file.

Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
@arnaldo2792
Copy link
Contributor Author

Forced push includes updates in the SELinux policy

@arnaldo2792 arnaldo2792 marked this pull request as ready for review July 16, 2021 03:33
@arnaldo2792 arnaldo2792 merged commit 194317f into bottlerocket-os:develop Jul 16, 2021
@arnaldo2792 arnaldo2792 deleted the fix-random-seed branch July 16, 2021 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@bcressey bcressey bcressey approved these changes

@tjkirch tjkirch Awaiting requested review from tjkirch

@webern webern Awaiting requested review from webern

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arnaldo2792 @bcressey @samuelkarp