Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-security for openSUSE:Factory
checked in at 2021-03-28 11:54:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-security (Old)
and /work/SRC/openSUSE:Factory/.yast2-security.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Sun Mar 28 11:54:01 2021 rev:104 rq:879874 version:4.3.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes
2021-03-08 15:17:16.697939617 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-security.new.2401/yast2-security.changes
2021-03-28 11:54:11.924109015 +0200
@@ -1,0 +2,6 @@
+Thu Mar 18 11:43:42 UTC 2021 - David Diaz <dgonza...@suse.com>
+
+- Do not set SELinux mode when it is not configurable (bsc#1182940)
+- 4.3.16
+
+-------------------------------------------------------------------
Old:
----
yast2-security-4.3.15.tar.bz2
New:
----
yast2-security-4.3.16.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.D7ve1p/_old 2021-03-28 11:54:12.404109440 +0200
+++ /var/tmp/diff_new_pack.D7ve1p/_new 2021-03-28 11:54:12.404109440 +0200
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.3.15
+Version: 4.3.16
Release: 0
Summary: YaST2 - Security Configuration
License: GPL-2.0-only
++++++ yast2-security-4.3.15.tar.bz2 -> yast2-security-4.3.16.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.3.15/package/yast2-security.changes
new/yast2-security-4.3.16/package/yast2-security.changes
--- old/yast2-security-4.3.15/package/yast2-security.changes 2021-03-04
16:07:18.000000000 +0100
+++ new/yast2-security-4.3.16/package/yast2-security.changes 2021-03-18
13:39:36.000000000 +0100
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Thu Mar 18 11:43:42 UTC 2021 - David Diaz <dgonza...@suse.com>
+
+- Do not set SELinux mode when it is not configurable (bsc#1182940)
+- 4.3.16
+
+-------------------------------------------------------------------
Wed Mar 3 16:09:26 UTC 2021 - David Diaz <dgonza...@suse.com>
- Make SELinux not configurable when running on WSL (bsc#1182940)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.3.15/package/yast2-security.spec
new/yast2-security-4.3.16/package/yast2-security.spec
--- old/yast2-security-4.3.15/package/yast2-security.spec 2021-03-04
16:07:18.000000000 +0100
+++ new/yast2-security-4.3.16/package/yast2-security.spec 2021-03-18
13:39:36.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.3.15
+Version: 4.3.16
Release: 0
Group: System/YaST
License: GPL-2.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.3.15/src/modules/Security.rb
new/yast2-security-4.3.16/src/modules/Security.rb
--- old/yast2-security-4.3.15/src/modules/Security.rb 2021-03-04
16:07:18.000000000 +0100
+++ new/yast2-security-4.3.16/src/modules/Security.rb 2021-03-18
13:39:36.000000000 +0100
@@ -375,7 +375,9 @@
#
# @see Y2Security::Selinux
def read_selinux_settings
- @Settings["SELINUX_MODE"] = selinux_config.mode.id.to_s
+ return unless selinux.configurable?
+
+ @Settings["SELINUX_MODE"] = selinux.mode.id.to_s
log.debug "SELINUX_MODE (after #{__callee__}):
#{@Settings['SELINUX_MODE']}"
end
@@ -548,8 +550,8 @@
#
# @return true on success
def write_selinux
- selinux_config.mode = @Settings["SELINUX_MODE"]
- selinux_config.save
+ selinux.mode = @Settings["SELINUX_MODE"]
+ selinux.save
end
# Write settings related to PAM behavior
@@ -901,11 +903,11 @@
# Ensures needed patterns for SELinux, if any, will be installed
def set_selinux_patterns
- selinux_config.mode = @Settings["SELINUX_MODE"] unless
@Settings["SELINUX_MODE"].to_s.empty?
+ selinux.mode = @Settings["SELINUX_MODE"] unless
@Settings["SELINUX_MODE"].to_s.empty?
# Please, keep the unique id synced with the one used in normal
installation
# See
https://github.com/yast/yast-installation/blob/7c19909e9700242209645cf12a4daffe1cd54194/src/lib/installation/clients/security_proposal.rb#L244-L247
- PackagesProposal.SetResolvables("SELinux", :pattern,
selinux_config.needed_patterns)
+ PackagesProposal.SetResolvables("SELinux", :pattern,
selinux.needed_patterns)
end
# Sets @missing_mandatory_services honoring the systemd aliases
@@ -981,8 +983,8 @@
# Returns a SELinux configuration handler
#
# @return [Y2Security::Selinux] the SELinux config handler
- def selinux_config
- @selinux_config ||= Y2Security::Selinux.new
+ def selinux
+ @selinux ||= Y2Security::Selinux.new
end
# Checks if the service is allowed (i.e. not considered 'extra')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.3.15/test/levels_test.rb
new/yast2-security-4.3.16/test/levels_test.rb
--- old/yast2-security-4.3.15/test/levels_test.rb 2021-03-04
16:07:18.000000000 +0100
+++ new/yast2-security-4.3.16/test/levels_test.rb 2021-03-18
13:39:36.000000000 +0100
@@ -50,7 +50,7 @@
change_scr_root(File.join(DATA_PATH, "system"))
stub_scr_write
allow(Package).to receive(:Installed).with("systemd").and_return true
- allow(Security.selinux_config).to receive(:save)
+ allow(Security.selinux).to receive(:save)
end
after do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.3.15/test/security_test.rb
new/yast2-security-4.3.16/test/security_test.rb
--- old/yast2-security-4.3.15/test/security_test.rb 2021-03-04
16:07:18.000000000 +0100
+++ new/yast2-security-4.3.16/test/security_test.rb 2021-03-18
13:39:36.000000000 +0100
@@ -244,18 +244,18 @@
let(:requested_mode) { "enforcing" }
before do
- allow(subject.selinux_config).to receive(:save)
+ allow(subject.selinux).to receive(:save)
subject.Settings["SELINUX_MODE"] = requested_mode
end
it "sets the SELinux mode" do
- expect(subject.selinux_config).to receive(:mode=).with(requested_mode)
+ expect(subject.selinux).to receive(:mode=).with(requested_mode)
subject.write_selinux
end
it "saves the selinux config" do
- expect(subject.selinux_config).to receive(:save)
+ expect(subject.selinux).to receive(:save)
subject.write_selinux
end
@@ -646,23 +646,45 @@
describe "#read_selinux_settings" do
let(:mode) { double("Y2Security::Selinux::Mode", id: :enforcing) }
+ let(:configurable) { true }
before do
- allow(subject.selinux_config).to receive(:mode).and_return(mode)
+ allow(subject.selinux).to receive(:mode).and_return(mode)
+ allow(subject.selinux).to
receive(:configurable?).and_return(configurable)
end
- it "reads the selinux mode" do
- expect(subject.selinux_config).to receive(:mode)
+ context "when SELinux is configurable" do
+ it "reads the selinux mode" do
+ expect(subject.selinux).to receive(:mode)
- subject.read_selinux_settings
+ subject.read_selinux_settings
+ end
+
+ it "sets the SELINUX_MODE setting" do
+ expect(Security.Settings["SELINUX_MODE"]).to eq("")
+
+ Security.read_selinux_settings
+
+ expect(Security.Settings["SELINUX_MODE"]).to eq(mode.id.to_s)
+ end
end
- it "sets the SELINUX_MODE setting" do
- expect(Security.Settings["SELINUX_MODE"]).to eq("")
+ context "when SELinux is not configurable" do
+ let(:configurable) { false }
- Security.read_selinux_settings
+ it "does not read the selinux mode" do
+ expect(subject.selinux).to_not receive(:mode)
- expect(Security.Settings["SELINUX_MODE"]).to eq(mode.id.to_s)
+ subject.read_selinux_settings
+ end
+
+ it "does not set the SELINUX_MODE setting" do
+ expect(Security.Settings["SELINUX_MODE"]).to eq("")
+
+ Security.read_selinux_settings
+
+ expect(Security.Settings["SELINUX_MODE"]).to eq("")
+ end
end
end
@@ -696,7 +718,7 @@
Security.Settings["SYS_UID_MIN"] = 200
Security.Settings["SYS_GID_MIN"] = 200
- allow(subject.selinux_config).to
receive(:needed_patterns).and_return(selinux_patterns)
+ allow(subject.selinux).to
receive(:needed_patterns).and_return(selinux_patterns)
end
it "doest not touch current Settings if given settings are empty" do
