Enforce some better rights on temporary files

We probably don't want to expose the SELinux issues, so let's use some better rights on the temporary files. Change-Id: I9b27a068129d694577bb3b0ab7374934f06c5655
2021-06-25 11:14:54 +02:00 · 2021-06-25 11:14:54 +02:00 · f5d2363215
commit f5d2363215
parent 28c7af3ea1
1 changed files with 4 additions and 1 deletions
--- a/validations_common/roles/validate_selinux/tasks/main.yml
+++ b/validations_common/roles/validate_selinux/tasks/main.yml
@ -58,6 +58,7 @@
  shell: |
    set -o pipefail
    grep -i denied {{ validate_selinux_audit_source }} > /tmp/denials.log || (echo "No denials found in auditlog"; exit 0)
+    chmod 0600 /tmp/denials.log

 - name: Get stat for denials.log
  stat:
@ -77,7 +78,7 @@
      template:
        src: skip-list.j2
        dest: "{{ validate_selinux_skip_list_dest }}"
-        mode: 0644
+        mode: 0600

    - name: Filter out denials
      when: validate_selinux_skip_list != {}
@ -86,6 +87,7 @@
      shell: |
        set -o pipefail
        grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }}
+        chmod 0600 {{ validate_selinux_filtered_denials_dest }}

    - name: No skip_list
      when: validate_selinux_skip_list == {}
@ -93,6 +95,7 @@
        remote_src: true
        src: /tmp/denials.log
        dest: "{{ validate_selinux_filtered_denials_dest }}"
+        mode: 0600

    - name: Get stat for filtered denials
      stat: