Skip to content

Fix conflict with file_permissions* rules fails in RHEL9 BSI SYS.1.3 #14342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Arden97 wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Fix conflict with file_permissions* rules fails in RHEL9 BSI SYS.1.3 #14342

Arden97 wants to merge 1 commit into from
+2 −0

Conversation

@Arden97
Copy link
Contributor

@Arden97 Arden97 commented Jan 28, 2026

Description:

  • These changes add the package_cron_installed rule that installs the cron package before all cron-related checks are executed

Rationale:

  • all rules in the cron_and_at group pass even when no cron files are found.

  • after these checks, aide_periodic_cron_checking is executed, which installs the cron package.

  • A subsequent check finds the cron files in their default state

    • file_groupowner_cron* and file_owner_cron* rules are passing, because the default state of the cron files satisfies the rule requirements
    • file_permissions_cron* rules fail, because default cron permissions are 755 (instead of the required 700)

  • Fixes file_permissions and rpm_verify_permissions rules conflict with each other (BSI profile) #13844

Review Hints:

  • reserve testing farm with hvm support
  • run /hardening/container/bootc-image-builder/bsi using autocontest

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 28, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 28, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Jan 28, 2026

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@jan-cerny
Copy link
Collaborator

jan-cerny commented Jan 28, 2026

Should we do the same change also in the RHEL 10 BSI profile?

@jan-cerny jan-cerny self-assigned this Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jan-cerny jan-cerny

Labels

do-not-merge/work-in-progress Used by openshift-ci bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

file_permissions and rpm_verify_permissions rules conflict with each other (BSI profile)

2 participants

@Arden97 @jan-cerny