From f5d23632159a5e2c010fd581bd4aba71b08967cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Fri, 25 Jun 2021 11:14:54 +0200
Subject: [PATCH] Enforce some better rights on temporary files

We probably don't want to expose the SELinux issues, so let's use some
better rights on the temporary files.

Change-Id: I9b27a068129d694577bb3b0ab7374934f06c5655
---
 validations_common/roles/validate_selinux/tasks/main.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/validations_common/roles/validate_selinux/tasks/main.yml b/validations_common/roles/validate_selinux/tasks/main.yml
index 8388dab..29fa290 100644
--- a/validations_common/roles/validate_selinux/tasks/main.yml
+++ b/validations_common/roles/validate_selinux/tasks/main.yml
@@ -58,6 +58,7 @@
   shell: |
     set -o pipefail
     grep -i denied {{ validate_selinux_audit_source }} > /tmp/denials.log || (echo "No denials found in auditlog"; exit 0)
+    chmod 0600 /tmp/denials.log
 
 - name: Get stat for denials.log
   stat:
@@ -77,7 +78,7 @@
       template:
         src: skip-list.j2
         dest: "{{ validate_selinux_skip_list_dest }}"
-        mode: 0644
+        mode: 0600
 
     - name: Filter out denials
       when: validate_selinux_skip_list != {}
@@ -86,6 +87,7 @@
       shell: |
         set -o pipefail
         grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }}
+        chmod 0600 {{ validate_selinux_filtered_denials_dest }}
 
     - name: No skip_list
       when: validate_selinux_skip_list == {}
@@ -93,6 +95,7 @@
         remote_src: true
         src: /tmp/denials.log
         dest: "{{ validate_selinux_filtered_denials_dest }}"
+        mode: 0600
 
     - name: Get stat for filtered denials
       stat: