Better ACL setting code.

Signed-off-by: Peter Jones <pjones@redhat.com>

0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch

@@ -0,0 +1,50 @@
+From 2ced112a031c65791f04d46ce73f6d64a17ad069 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:19:49 -0500
+Subject: [PATCH 1/2] Don't setfacl when the socket or dir aren't there.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize-groups | 8 ++++++--
+ src/pesign-authorize-users  | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index e3864ce..2222809 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -11,7 +11,11 @@
+ 
+ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+-        setfacl -m g:${group}:rx /var/run/pesign
+-        setfacl -m g:${group}:rw /var/run/pesign/socket
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${group}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${group}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index e500204..22bddec 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -11,7 +11,11 @@
+ 
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+-        setfacl -m u:${username}:rx /var/run/pesign
+-        setfacl -m u:${username}:rw /var/run/pesign/socket
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${username}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${username}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+-- 
+2.5.0
+

0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch

@@ -1,39 +0,0 @@
-From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 19 Nov 2015 11:36:59 -0500
-Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the
- socket.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign-authorize-groups | 2 ++
- src/pesign-authorize-users  | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
-index e3864ce..2236bea 100644
---- a/src/pesign-authorize-groups
-+++ b/src/pesign-authorize-groups
-@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
-     for group in $(cat /etc/pesign/groups); do
-         setfacl -m g:${group}:rx /var/run/pesign
-         setfacl -m g:${group}:rw /var/run/pesign/socket
-+        setfacl -m g:${username}:rx /etc/pki/pesign
-+        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
-     done
- fi
-diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
-index e500204..9c38a25 100644
---- a/src/pesign-authorize-users
-+++ b/src/pesign-authorize-users
-@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
-     for username in $(cat /etc/pesign/users); do
-         setfacl -m u:${username}:rx /var/run/pesign
-         setfacl -m u:${username}:rw /var/run/pesign/socket
-+        setfacl -m u:${username}:rx /etc/pki/pesign
-+        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
-     done
- fi
--- 
-2.5.0
-

0002-setfacl-the-db-as-well.patch

@@ -0,0 +1,41 @@
+From 4abf6bc506a31ae3e21ae736a44cea992c6ba6c1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:21:39 -0500
+Subject: [PATCH 2/2] setfacl the db as well
+
+---
+ src/pesign-authorize-groups | 4 ++++
+ src/pesign-authorize-users  | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2222809..e0f679d 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m g:${group}:rx /etc/pki/pesign
++	    setfacl -m u:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 22bddec..997c8a3 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/users ]]; then
+ 		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m g:${username}:rx /etc/pki/pesign
++	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+-- 
+2.5.0
+

pesign.spec

@@ -3,7 +3,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.111
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/System
 License: GPLv2
 Recommends: pesign-rh-test-certs
@@ -25,7 +25,8 @@ BuildRequires: rh-signing-tools >= 1.20-2
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
-Patch0002: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
+Patch0002: 0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
+Patch0003: 0002-setfacl-the-db-as-well.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -103,7 +104,7 @@ fi
 %post
 %systemd_post pesign.service
 modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so
+	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
 #modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
 #	-libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
 
@@ -153,6 +154,10 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
 %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
 
 %changelog
+* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
+- Better ACL setting code.
+  Related: rhbz#1283745
+
 * Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
 - Allow the mockbuild user to read the nss database if the account exists.