Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-security for openSUSE:Factory
checked in at 2022-01-27 23:16:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-security (Old)
and /work/SRC/openSUSE:Factory/.yast2-security.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Thu Jan 27 23:16:43 2022 rev:112 rq:949355 version:4.4.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes
2022-01-25 17:36:56.281975684 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-security.new.1898/yast2-security.changes
2022-01-27 23:17:19.198831805 +0100
@@ -1,0 +2,14 @@
+Wed Jan 26 14:01:57 UTC 2022 - Knut Alejandro Anderssen Gonz??lez
<kanders...@suse.com>
+
+Related to jsc#SLE-22069:
+ - AutoYaST LSM: only allow to select the desired LSM and the
+ SELinux mode.
+- 4.4.10
+
+-------------------------------------------------------------------
+Tue Jan 25 15:43:01 UTC 2022 - Imobach Gonzalez Sosa <igonzalezs...@suse.com>
+
+- Use Package module instead of PackageSystem (bsc#1194886).
+- 4.4.9
+
+-------------------------------------------------------------------
Old:
----
yast2-security-4.4.8.tar.bz2
New:
----
yast2-security-4.4.10.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.vD54bG/_old 2022-01-27 23:17:19.746828019 +0100
+++ /var/tmp/diff_new_pack.vD54bG/_new 2022-01-27 23:17:19.750827991 +0100
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.4.8
+Version: 4.4.10
Release: 0
Summary: YaST2 - Security Configuration
License: GPL-2.0-only
@@ -37,8 +37,8 @@
BuildRequires: yast2-bootloader
BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec)
BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5
-# CFA::SysctlConfig
-BuildRequires: yast2 >= 4.2.66
+# Replace PackageSystem with Package
+BuildRequires: yast2 >= 4.4.38
# CFA::Selinux
BuildRequires: augeas-lenses
# Y2Storage::StorageManager
@@ -52,8 +52,8 @@
# new Pam.ycp API
Requires: yast2-pam >= 2.14.0
-# CFA::SysctlConfig
-Requires: yast2 >= 4.2.66
+# Replace PackageSystem with Package
+Requires: yast2 >= 4.4.38
Requires: yast2-ruby-bindings >= 1.0.0
# Pam.List
Requires: yast2-pam >= 4.3.1
++++++ yast2-security-4.4.8.tar.bz2 -> yast2-security-4.4.10.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.4.8/package/yast2-security.changes
new/yast2-security-4.4.10/package/yast2-security.changes
--- old/yast2-security-4.4.8/package/yast2-security.changes 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/package/yast2-security.changes 2022-01-27
00:12:16.000000000 +0100
@@ -1,4 +1,18 @@
-------------------------------------------------------------------
+Wed Jan 26 14:01:57 UTC 2022 - Knut Alejandro Anderssen Gonz??lez
<kanders...@suse.com>
+
+Related to jsc#SLE-22069:
+ - AutoYaST LSM: only allow to select the desired LSM and the
+ SELinux mode.
+- 4.4.10
+
+-------------------------------------------------------------------
+Tue Jan 25 15:43:01 UTC 2022 - Imobach Gonzalez Sosa <igonzalezs...@suse.com>
+
+- Use Package module instead of PackageSystem (bsc#1194886).
+- 4.4.9
+
+-------------------------------------------------------------------
Mon Jan 24 09:45:55 UTC 2022 - Knut Anderssen <kanders...@suse.com>
- Related to jsc#SLE-22069:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.4.8/package/yast2-security.spec
new/yast2-security-4.4.10/package/yast2-security.spec
--- old/yast2-security-4.4.8/package/yast2-security.spec 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/package/yast2-security.spec 2022-01-27
00:12:16.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.4.8
+Version: 4.4.10
Release: 0
Group: System/YaST
License: GPL-2.0-only
@@ -37,8 +37,8 @@
BuildRequires: yast2-bootloader
BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5
BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec)
-# CFA::SysctlConfig
-BuildRequires: yast2 >= 4.2.66
+# Replace PackageSystem with Package
+BuildRequires: yast2 >= 4.4.38
# CFA::Selinux
BuildRequires: augeas-lenses
# Y2Storage::StorageManager
@@ -52,8 +52,8 @@
# new Pam.ycp API
Requires: yast2-pam >= 2.14.0
-# CFA::SysctlConfig
-Requires: yast2 >= 4.2.66
+# Replace PackageSystem with Package
+Requires: yast2 >= 4.4.38
Requires: yast2-ruby-bindings >= 1.0.0
# Pam.List
Requires: yast2-pam >= 4.3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.4.8/src/autoyast-rnc/security.rnc
new/yast2-security-4.4.10/src/autoyast-rnc/security.rnc
--- old/yast2-security-4.4.8/src/autoyast-rnc/security.rnc 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/autoyast-rnc/security.rnc 2022-01-27
00:12:16.000000000 +0100
@@ -9,7 +9,9 @@
disable_restart_on_update = element disable_restart_on_update { STRING }
disable_stop_on_removal = element disable_stop_on_removal { STRING }
extra_services = element extra_services { STRING }
-selinux_mode = element selinux_mode { STRING }
+selinux_mode = element selinux_mode { "permissive" | "enforcing" | "disabled" }
+# Major Linux Security Module to be activated after installation
+lsm_select = element lsm_select { "apparmor" | "selinux" | "none" }
displaymanager_remote_access = element displaymanager_remote_access { STRING }
displaymanager_root_login_remote = element displaymanager_root_login_remote {
STRING }
displaymanager_shutdown = element displaymanager_shutdown { STRING }
@@ -74,6 +76,7 @@
| disable_stop_on_removal
| extra_services
| selinux_mode
+ | lsm_select
| displaymanager_remote_access
| displaymanager_root_login_remote
| displaymanager_xserver_tcp_port_6000_open
@@ -127,45 +130,4 @@
| sec_ip_forward
| displaymanager_shutdown
| passwd_remember_history
- | lsm
security = element security { MAP, y2_security* }
-
-## Whether the module can be proposed/configured during installation
-lsm_configurable = element configurable { BOOLEAN }
-## Whether the module can be selected during installation
-lsm_selectable = element selectable { BOOLEAN }
-## Space-separated list of required/suggested patterns for the selected module
-lsm_patterns = element patterns { text }
-
-lsm = element lsm { MAP,
- (
- lsm_select? &
- lsm_configurable? &
- lsm_selectable? &
- none? &
- selinux? &
- apparmor?
- )
-}
-
-# Linux Security Major Module to be activated after installation
-lsm_select = element select { "apparmor" | "selinux" | "none" }
-lsm_module =
- lsm_configurable
- | lsm_selectable
- | lsm_patterns
-
-none = element none { MAP,
- lsm_selectable?
-}
-
-apparmor = element apparmor { MAP,
- lsm_module*
-}
-
-selinux = element selinux { MAP,
- (
- lsm_module*
- | element mode { STRING }?
- )*
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/security/ctrl_alt_del_config.rb
new/yast2-security-4.4.10/src/lib/security/ctrl_alt_del_config.rb
--- old/yast2-security-4.4.8/src/lib/security/ctrl_alt_del_config.rb
2022-01-24 11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/lib/security/ctrl_alt_del_config.rb
2022-01-27 00:12:16.000000000 +0100
@@ -27,14 +27,14 @@
include Yast::Logger
Yast.import "SCR"
Yast.import "Arch"
- Yast.import "PackageSystem"
+ Yast.import "Package"
Yast.import "FileUtils"
SYSTEMD_FILE = "/etc/systemd/system/ctrl-alt-del.target"
class << self
def systemd?
- Yast::PackageSystem.Installed("systemd")
+ Yast::Package.Installed("systemd")
end
def default
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst/lsm_config_reader.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst/lsm_config_reader.rb
--- old/yast2-security-4.4.8/src/lib/y2security/autoinst/lsm_config_reader.rb
2022-01-24 11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/lib/y2security/autoinst/lsm_config_reader.rb
2022-01-27 00:12:16.000000000 +0100
@@ -18,21 +18,18 @@
# find current contact information at www.suse.com.
require "y2security/lsm/config"
-require "y2security/autoinst_profile"
+require "y2security/autoinst_profile/security_section"
module Y2Security
module Autoinst
# This class is responsible of reading the Linux Security Module
configuration declared in
# the AutoYaST profile
class LSMConfigReader
- # @return [AutoinstProfile::LSMSection]
+ # @return [AutoinstProfile::SecuritySection]
attr_reader :section
- # @return [AutoinstProfile::SelinuxSection,
AutoinstProfile::ApparmorSection, nil]
- attr_reader :module_section
-
# Constructor
#
- # @param section [AutoinstProfile::LSMSection]
+ # @param section [AutoinstProfile::SecuritySection]
def initialize(section)
@section = section
end
@@ -40,33 +37,27 @@
# Reads the Linux Security Module configuration defined in the profile
modifying it
# accordingly
def read
- return unless section
+ return unless section.lsm_select || section.selinux_mode
- config.configurable = section.configurable
- config.select(section.select) if section.select
- configure_supported_modules
+ select_module
+ configure_selinux if selinux?
end
private
- def configure_supported_modules
- [:selinux, :apparmor, :none].each do |id|
- lsm_module = config.public_send(id)
- @module_section = section.public_send(id)
- next unless module_section
-
- assign(lsm_module, :mode) if id == :selinux
- assign(lsm_module, :selectable)
- next if id == :none
-
- assign(lsm_module, :configurable)
- assign(lsm_module, :patterns)
- end
+ def selinux?
+ return true if section.lsm_select == "selinux"
+
+ !section.lsm_select && section.selinux_mode
+ end
+
+ def configure_selinux
+ config.selinux.mode = section.selinux_mode
end
- def assign(lsm_module, option)
- value = module_section.public_send(option)
- lsm_module.public_send("#{option}=", value) unless value.nil?
+ def select_module
+ selected = selinux? ? "selinux" : section.lsm_select
+ config.select(selected)
end
def config
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/apparmor_section.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/apparmor_section.rb
---
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/apparmor_section.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/apparmor_section.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,50 +0,0 @@
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-
-require "installation/autoinst_profile/section_with_attributes"
-
-module Y2Security
- module AutoinstProfile
- # This class represents an AutoYaST <apparmor> section under <lsm>
- #
- # <apparmor>
- # <configurable config:type="boolean">true</configurable>
- # <selectable config:type="boolean">true</selectable>
- # <patterns>apparmor</patterns>
- # </apparmor>
- class ApparmorSection <
::Installation::AutoinstProfile::SectionWithAttributes
- def self.attributes
- [
- { name: :configurable },
- { name: :selectable },
- { name: :patterns }
- ]
- end
-
- define_attr_accessors
-
- # @!attribute configurable
- # @return [Boolean]
- # @!attribute selectable
- # @return [Boolean]
- # @!attribute patterns
- # @return [String]
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/lsm_section.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/lsm_section.rb
--- old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/lsm_section.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/lsm_section.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,75 +0,0 @@
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-
-require "installation/autoinst_profile/section_with_attributes"
-require "y2security/autoinst_profile/selinux_section"
-require "y2security/autoinst_profile/apparmor_section"
-
-module Y2Security
- module AutoinstProfile
- # This class represents an AutoYaST <lsm> section
- #
- # <lsm>
- # <select>selinux</select>
- # <apparmor>
- # <selectable config:type="boolean">false</selectable>
- # </apparmor>
- # <none>
- # <selectable config:type="boolean">false</selectable>
- # </none>
- # <selinux>
- # <mode>permissive</mode>
- # <configurable config:type="boolean">true</configurable>
- # <patterns>selinux</patterns>
- # </selinux>
- # </lsm>
- class LSMSection < ::Installation::AutoinstProfile::SectionWithAttributes
- def self.attributes
- [
- { name: :select },
- { name: :configurable },
- { name: :selinux },
- { name: :apparmor },
- { name: :none }
- ]
- end
-
- define_attr_accessors
-
- # @!attribute select
- # @return [String]
- # @!attribute configurable
- # @return [Boolean]
- # @!attribute selinux
- # @return [SelinuxSection]
- # @!attribute apparmor
- # @return [ApparmorSection]
-
- def init_from_hashes(hash)
- super
-
- @selinux = SelinuxSection.new_from_hashes(hash["selinux"], self) if
hash["selinux"]
- @apparmor = ApparmorSection.new_from_hashes(hash["apparmor"], self) if
hash["apparmor"]
- @none = ApparmorSection.new_from_hashes(hash["none"], self) if
hash["none"]
-
- nil
- end
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/security_section.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/security_section.rb
---
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/security_section.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/security_section.rb
2022-01-27 00:12:16.000000000 +0100
@@ -18,7 +18,6 @@
# find current contact information at www.suse.com.
require "installation/autoinst_profile/section_with_attributes"
-require "y2security/autoinst_profile/lsm_section"
module Y2Security
module AutoinstProfile
@@ -26,23 +25,14 @@
# LSM related attributes
#
# <security>
- # <!-- <selinux_mode></selinux_mode> # Deprecated -->
- # <lsm>
- # <apparmor>
- # <selectable config:type="boolean">false</selectable>
- # </apparmor>
- # <selinux>
- # <mode>permissive</mode>
- # <configurable config:type="boolean">true</configurable>
- # <patterns>selinux</patterns>
- # </selinux>
- # </lsm>
+ # <selinux_mode>enforcing</selinux_mode>
+ # <lsm_select>selinux</lsm_select>
# </security>
class SecuritySection <
::Installation::AutoinstProfile::SectionWithAttributes
def self.attributes
[
- { name: :selinux_mode }, # Deprecated
- { name: :lsm }
+ { name: :selinux_mode },
+ { name: :lsm_select }
]
end
@@ -50,21 +40,9 @@
# @!attribute selinux_mode
# @return [String] SELinux mode to be used
- # @deprecated
- #
- # @!attribute lsm
- # @return [LSMSection]
-
- def init_from_hashes(hash)
- super
-
- # backward compatible with option 'selinux_mode'
- hash["lsm"] ||= { "select" => "selinux", "selinux" => { "mode" =>
@selinux_mode } } if @selinux_mode
-
- @lsm = LSMSection.new_from_hashes(hash["lsm"], self) if hash["lsm"]
-
- nil
- end
+ # @!attribute lsm_select
+ # @return [String] Major Linux Security Module to be used.
+ # Possible values: apparmor, selinux, none
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/selinux_section.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/selinux_section.rb
---
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile/selinux_section.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile/selinux_section.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,54 +0,0 @@
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-
-require "installation/autoinst_profile/section_with_attributes"
-
-module Y2Security
- module AutoinstProfile
- # This class represents an AutoYaST <selinux> section under <lsm>
- #
- # <selinux>
- # <mode>permissive</mode>
- # <configurable config:type="boolean">true</configurable>
- # <selectable config:type="boolean">true</selectable>
- # <patterns>selinux</patterns>
- # </selinux>
- class SelinuxSection <
::Installation::AutoinstProfile::SectionWithAttributes
- def self.attributes
- [
- { name: :mode },
- { name: :configurable },
- { name: :selectable },
- { name: :patterns }
- ]
- end
-
- define_attr_accessors
-
- # @!attribute mode
- # @return [String]
- # @!attribute configurable
- # @return [Boolean]
- # @!attribute selectable
- # @return [Boolean]
- # @!attribute patterns
- # @return [String]
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile.rb
new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile.rb
--- old/yast2-security-4.4.8/src/lib/y2security/autoinst_profile.rb
2022-01-24 11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/lib/y2security/autoinst_profile.rb
2022-01-27 00:12:16.000000000 +0100
@@ -18,6 +18,3 @@
# find current contact information at www.suse.com.
require "y2security/autoinst_profile/security_section"
-require "y2security/autoinst_profile/lsm_section"
-require "y2security/autoinst_profile/selinux_section"
-require "y2security/autoinst_profile/apparmor_section"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/src/lib/y2security/lsm/config.rb
new/yast2-security-4.4.10/src/lib/y2security/lsm/config.rb
--- old/yast2-security-4.4.8/src/lib/y2security/lsm/config.rb 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/lib/y2security/lsm/config.rb 2022-01-27
00:12:16.000000000 +0100
@@ -145,6 +145,16 @@
@configurable = product_feature_settings.fetch(:configurable, true)
end
+ # Export AutoYaST LSM configuration
+ #
+ # @return [Hash<String, String>]
+ def export
+ config = {}
+ config["lsm_select"] = selected.id.to_s if selected
+ config["selinux_mode"] = selinux.mode.id.to_s if selected&.id ==
:selinux
+ config
+ end
+
# Returns the values for the LSM setting from the product features
#
# @return [Hash{Symbol => Object}] e.g., { selinux: { "selectable" =>
true } }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.4.8/src/modules/Security.rb
new/yast2-security-4.4.10/src/modules/Security.rb
--- old/yast2-security-4.4.8/src/modules/Security.rb 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/src/modules/Security.rb 2022-01-27
00:12:16.000000000 +0100
@@ -797,7 +797,8 @@
settings["PASSWD_USE_PWQUALITY"] =
settings.delete("PASSWD_USE_CRACKLIB")
end
- settings["lsm"] = settings.delete("LSM") if settings.key?("LSM")
+ settings["lsm_select"] = settings.delete("LSM_SELECT") if
settings.key?("LSM_SELECT")
+ settings["selinux_mode"] = settings.delete("SELINUX_MODE") if
settings.key?("SELINUX_MODE")
import_lsm_config(settings)
@@ -844,7 +845,7 @@
settings["PASSWD_USE_CRACKLIB"] =
settings.delete("PASSWD_USE_PWQUALITY")
end
- settings
+ settings.merge(lsm_config.export)
end
# Create a textual summary and a list of unconfigured cards
@@ -930,7 +931,7 @@
# @param settings [Hash] profile security settings to be imported.
def import_lsm_config(settings)
section =
Y2Security::AutoinstProfile::SecuritySection.new_from_hashes(settings)
- Y2Security::Autoinst::LSMConfigReader.new(section.lsm).read
+ Y2Security::Autoinst::LSMConfigReader.new(section).read
return unless lsm_config.configurable?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.4.8/test/security_test.rb
new/yast2-security-4.4.10/test/security_test.rb
--- old/yast2-security-4.4.8/test/security_test.rb 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/test/security_test.rb 2022-01-27
00:12:16.000000000 +0100
@@ -311,7 +311,7 @@
context "when systemd is installed" do
before do
- allow(PackageSystem).to receive(:Installed).with("systemd") { true }
+ allow(Package).to receive(:Installed).with("systemd") { true }
end
context "on a non s390 architecture" do
@@ -654,6 +654,19 @@
end
end
+ describe "#Export" do
+ it "merges LSM settings" do
+ settings = Security.Export
+ expect(settings).to_not include("selinux_mode")
+ expect(settings).to_not include("lsm_select")
+ Security.lsm_config.selinux.mode = :permissive
+ Security.lsm_config.select("selinux")
+ settings = Security.Export
+ expect(settings["lsm_select"]).to eq("selinux")
+ expect(settings["selinux_mode"]).to eq("permissive")
+ end
+ end
+
describe "#SafeRead" do
it "reads settings" do
expect(Security).to receive(:Read).and_return(true)
@@ -731,11 +744,12 @@
end
end
- context "and LSM is declared as no configurable" do
+ context "and LSM is declared in the control file as no configurable" do
it "does not touch resolvables" do
+ Security.lsm_config.configurable = false
expect(Yast::PackagesProposal).to_not receive(:SetResolvables)
- Security.Import("lsm" => { "configurable" => false })
+ Security.Import("selinux_mode" => "permissive")
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/autoinst/lsm_config_reader_test.rb
new/yast2-security-4.4.10/test/y2security/autoinst/lsm_config_reader_test.rb
--- old/yast2-security-4.4.8/test/y2security/autoinst/lsm_config_reader_test.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/test/y2security/autoinst/lsm_config_reader_test.rb
2022-01-27 00:12:16.000000000 +0100
@@ -21,30 +21,9 @@
require "y2security/autoinst/lsm_config_reader"
describe Y2Security::Autoinst::LSMConfigReader do
- subject { described_class.new(section.lsm) }
+ subject { described_class.new(section) }
let(:lsm) { Y2Security::LSM::Config.instance }
- let(:profile) do
- {
- "lsm" => {
- "select" => "selinux",
- "configurable" => true,
- "selinux" => {
- "mode" => "enforcing",
- "configurable" => false,
- "selectable" => true,
- "patterns" => "selinux_pattern"
- },
- "apparmor" => {
- "configurable" => true,
- "selectable" => false,
- "patterns" => "apparmor_pattern"
- },
- "none" => {
- "selectable" => false
- }
- }
- }
- end
+ let(:profile) { { "lsm_select" => "apparmor" } }
let(:section) {
Y2Security::AutoinstProfile::SecuritySection.new_from_hashes(profile) }
before do
@@ -52,29 +31,22 @@
end
describe "#read" do
- it "modifies the LSMConfig based on the lsm section" do
- expect { subject.read }.to change { lsm.selected&.id
}.from(nil).to(:selinux)
- .and change { lsm.configurable }.from(nil).to(true)
+ context "when a LSM is selected" do
+ it "selects the desired LSM accordingly" do
+ expect { subject.read }.to change { lsm.selected&.id
}.from(nil).to(:apparmor)
+ end
end
- context "when it contains a section for some of the supported modules" do
- it "modifies the module internal configuration" do
- subject.read
- selinux = lsm.selinux
-
- expect(selinux.mode.id.to_s).to eql("enforcing")
- expect(selinux.configurable).to eql(false)
- expect(selinux.selectable).to eql(true)
- expect(selinux.needed_patterns).to eql(["selinux_pattern"])
+ context "when a LSM is not selected explicitly but selinux_mode is given"
do
+ let(:profile) { { "selinux_mode" => "disabled" } }
- apparmor = lsm.apparmor
-
- expect(apparmor.configurable).to eql(true)
- expect(apparmor.selectable).to eql(false)
- expect(apparmor.needed_patterns).to eql(["apparmor_pattern"])
+ it "selects SELinux as the desired LSM" do
+ expect { subject.read }.to change { lsm.selected&.id
}.from(nil).to(:selinux)
+ end
- none = lsm.none
- expect(none.selectable).to eql(false)
+ it "sets the SELinux mode" do
+ subject.read
+ expect(lsm.selinux.mode.id).to eql(:disabled)
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/autoinst_profile/apparmor_section_test.rb
new/yast2-security-4.4.10/test/y2security/autoinst_profile/apparmor_section_test.rb
---
old/yast2-security-4.4.8/test/y2security/autoinst_profile/apparmor_section_test.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/test/y2security/autoinst_profile/apparmor_section_test.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,40 +0,0 @@
-#!/usr/bin/env rspec
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-require_relative "../../test_helper"
-require "y2security/autoinst_profile"
-
-describe Y2Security::AutoinstProfile::ApparmorSection do
- let(:profile) do
- {
- "configurable" => true,
- "selectable" => false,
- "patterns" => "apparmor_pattern"
- }
- end
-
- describe ".new_from_hashes" do
- it "sets the section attributes" do
- section = described_class.new_from_hashes(profile)
- expect(section.configurable).to eq(true)
- expect(section.selectable).to eq(false)
- expect(section.patterns).to eq("apparmor_pattern")
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/autoinst_profile/lsm_section_test.rb
new/yast2-security-4.4.10/test/y2security/autoinst_profile/lsm_section_test.rb
---
old/yast2-security-4.4.8/test/y2security/autoinst_profile/lsm_section_test.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/test/y2security/autoinst_profile/lsm_section_test.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,49 +0,0 @@
-#!/usr/bin/env rspec
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-require_relative "../../test_helper"
-require "y2security/autoinst_profile"
-
-describe Y2Security::AutoinstProfile::LSMSection do
- let(:profile) do
- {
- "select" => "selinux",
- "configurable" => false,
- "selinux" => {
- "mode" => "enforcing",
- "configurable" => true,
- "selectable" => true,
- "patterns" => "selinux_pattern"
- }
- }
- end
-
- describe ".new_from_hashes" do
- it "sets the attributes" do
- section = described_class.new_from_hashes(profile)
- expect(section.select).to eq("selinux")
- expect(section.configurable).to eq(false)
- end
-
- it "sets the module section which are present" do
- section = described_class.new_from_hashes(profile)
- expect(section.selinux).to
be_a(Y2Security::AutoinstProfile::SelinuxSection)
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/autoinst_profile/security_section_test.rb
new/yast2-security-4.4.10/test/y2security/autoinst_profile/security_section_test.rb
---
old/yast2-security-4.4.8/test/y2security/autoinst_profile/security_section_test.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/test/y2security/autoinst_profile/security_section_test.rb
2022-01-27 00:12:16.000000000 +0100
@@ -18,37 +18,16 @@
# To contact SUSE LLC about this file by physical or electronic mail, you may
# find current contact information at www.suse.com.
require_relative "../../test_helper"
-require "y2security/autoinst_profile"
+require "y2security/autoinst_profile/security_section"
describe Y2Security::AutoinstProfile::SecuritySection do
- let(:profile) { { "lsm" => { "select" => "selinux" } } }
-
describe ".new_from_hashes" do
- it "sets the lsm section" do
- section = described_class.new_from_hashes(profile)
- lsm = section.lsm
- expect(lsm).to be_a(Y2Security::AutoinstProfile::LSMSection)
- expect(lsm.select).to eq("selinux")
- expect(lsm.parent).to eq(section)
- end
+ let(:profile) { { "selinux_mode" => "enforcing", "lsm_select" => "selinux"
} }
- context "when used the old 'selinux_mode' attribute" do
- let(:profile) { { "selinux_mode" => "enforcing" } }
-
- it "sets the selinux_mode attribute" do
- section = described_class.new_from_hashes(profile)
- expect(section.selinux_mode).to eql("enforcing")
- end
-
- it "sets the lsm section as it was declared with selinux in that mode" do
- section = described_class.new_from_hashes(profile)
- lsm = section.lsm
- expect(lsm).to be_a(Y2Security::AutoinstProfile::LSMSection)
- expect(lsm.select).to eq("selinux")
- expect(lsm.parent).to eq(section)
- selinux = lsm.selinux
- expect(selinux.mode).to eq("enforcing")
- end
+ it "sets the supported attributes" do
+ section = described_class.new_from_hashes(profile)
+ expect(section.selinux_mode).to eql("enforcing")
+ expect(section.lsm_select).to eql("selinux")
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/autoinst_profile/selinux_section_test.rb
new/yast2-security-4.4.10/test/y2security/autoinst_profile/selinux_section_test.rb
---
old/yast2-security-4.4.8/test/y2security/autoinst_profile/selinux_section_test.rb
2022-01-24 11:04:13.000000000 +0100
+++
new/yast2-security-4.4.10/test/y2security/autoinst_profile/selinux_section_test.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,42 +0,0 @@
-#!/usr/bin/env rspec
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-require_relative "../../test_helper"
-require "y2security/autoinst_profile"
-
-describe Y2Security::AutoinstProfile::SelinuxSection do
- let(:profile) do
- {
- "mode" => "enforcing",
- "configurable" => true,
- "selectable" => false,
- "patterns" => "selinux_pattern"
- }
- end
-
- describe ".new_from_hashes" do
- it "sets the section attributes" do
- section = described_class.new_from_hashes(profile)
- expect(section.mode).to eq("enforcing")
- expect(section.configurable).to eq(true)
- expect(section.selectable).to eq(false)
- expect(section.patterns).to eq("selinux_pattern")
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.4.8/test/y2security/lsm/config_test.rb
new/yast2-security-4.4.10/test/y2security/lsm/config_test.rb
--- old/yast2-security-4.4.8/test/y2security/lsm/config_test.rb 2022-01-24
11:04:13.000000000 +0100
+++ new/yast2-security-4.4.10/test/y2security/lsm/config_test.rb
2022-01-27 00:12:16.000000000 +0100
@@ -258,4 +258,29 @@
end
end
end
+
+ describe "#export" do
+ context "when there is no LSM selected" do
+ it "returns an empty hash" do
+ expect(subject.export).to eql({})
+ end
+ end
+
+ context "when a LSM is selected" do
+ it "exports the selected LSM" do
+ subject.select("apparmor")
+ expect(subject.export).to eql("lsm_select" => "apparmor")
+ end
+
+ context "and it is SELinux" do
+ it "also exports the SELInux mode" do
+ subject.select("selinux")
+ subject.selinux.mode = :enforcing
+ settings = subject.export
+ expect(settings["lsm_select"]).to eql("selinux")
+ expect(settings["selinux_mode"]).to eql("enforcing")
+ end
+ end
+ end
+ end
end
