Try to ensure SEL labels persist across runs

plus3it · Mar 13, 2024 · 0b1cb8a · 0b1cb8a
1 parent 88e0120
commit 0b1cb8a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls
@@ -82,4 +82,19 @@ regen_grubCfg-{{ stig_id }}:
     - onchanges:
        - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
        - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'system_u'
+    - user: 'root'
+
 {%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls
@@ -62,7 +62,7 @@ user_cfg_content-{{ stig_id }}:
     - contents: |-
         GRUB2_PASSWORD={{ grubEncryptedPass }}
     - onchanges_in:
-      - regen_grubCfg-{{ stig_id }}
+      - cmd: regen_grubCfg-{{ stig_id }}
     - onchanges:
       - file: user_cfg_permissions-{{ stig_id }}
 
@@ -85,4 +85,18 @@ regen_grubCfg-{{ stig_id }}:
     - onchanges:
       - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
       - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'system_u'
+    - user: 'root'
 {%- endif %}