From 0b1cb8ad17ab965c4eb6b6a8e5785d6d4378f8a7 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Wed, 13 Mar 2024 13:37:19 -0400
Subject: [PATCH] Try to ensure SEL labels persist across runs

---
 ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls | 15 +++++++++++++++
 ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls | 16 +++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls
index 7a0c0d204..4d9bfb50c 100644
--- a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls
+++ b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls
@@ -82,4 +82,19 @@ regen_grubCfg-{{ stig_id }}:
     - onchanges:
        - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
        - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'system_u'
+    - user: 'root'
+
 {%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls
index 108c48131..de47e4e9d 100644
--- a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls
+++ b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls
@@ -62,7 +62,7 @@ user_cfg_content-{{ stig_id }}:
     - contents: |-
         GRUB2_PASSWORD={{ grubEncryptedPass }}
     - onchanges_in:
-      - regen_grubCfg-{{ stig_id }}
+      - cmd: regen_grubCfg-{{ stig_id }}
     - onchanges:
       - file: user_cfg_permissions-{{ stig_id }}
 
@@ -85,4 +85,18 @@ regen_grubCfg-{{ stig_id }}:
     - onchanges:
       - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
       - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'system_u'
+    - user: 'root'
 {%- endif %}