From af302774827114299e9ab3ad812bb6b336eb2848 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 12:30:24 +0100 Subject: [PATCH 01/21] add selinux to proposal --- src/lib/y2firewall/clients/proposal.rb | 12 +++++++++++- src/lib/y2firewall/dialogs/proposal.rb | 13 ++++++++++++- src/lib/y2firewall/proposal_settings.rb | 5 +++++ src/lib/y2firewall/widgets/proposal.rb | 24 ++++++++++++++++++++++++ 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb index c9ad0a4d..329635d6 100644 --- a/src/lib/y2firewall/clients/proposal.rb +++ b/src/lib/y2firewall/clients/proposal.rb @@ -122,7 +122,7 @@ def call_proposal_action_for(link) def proposals # Filter proposals with content [cpu_mitigations_proposal, firewall_proposal, sshd_proposal, - ssh_port_proposal, vnc_fw_proposal].compact + ssh_port_proposal, vnc_fw_proposal, selinux_proposal].compact end # Returns the cpu mitigation part of the bootloader proposal description @@ -218,6 +218,16 @@ def sshd_proposal ) % LINK_ENABLE_SSHD end end + + # Returns the Selinux config description + # @return [String, nil] proposal html text or nil if not configurable + def selinux_proposal + return nil unless @settings.selinux_config.configurable? + + _( + "Selinux Default Policy %s" + ) % @settings.selinux_config.mode.to_human_string + end end end end diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index c749a6be..a6cd9837 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -41,7 +41,7 @@ def title end def contents - VBox( + res = VBox( Frame( _("Firewall and SSH service"), HSquash( @@ -55,6 +55,17 @@ def contents ) ) ) + if @settings.selinux_config.configurable? + res.params << Frame( + _("SELinux"), + MarginBox( + 0.5, + 0.5, + VBox( + Widgets::SelinuxPolicy.new(@settings) + ) + ) + ) end def abort_button diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb index ae33f635..fc4d9575 100644 --- a/src/lib/y2firewall/proposal_settings.rb +++ b/src/lib/y2firewall/proposal_settings.rb @@ -22,6 +22,7 @@ require "yast" Yast.import "UsersSimple" +require "y2security/selinux_config" module Y2Firewall # Class that stores the proposal settings for firewalld during installation. @@ -39,6 +40,9 @@ class ProposalSettings attr_accessor :open_vnc # [String] Name of the default zone where perform the changes attr_accessor :default_zone + # [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2, + # for newer code streams it lives in security_setttings in yast2-installation. + attr_accessor :selinux_config # Constructor def initialize @@ -54,6 +58,7 @@ def initialize # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to # chose a different one in the proposal @default_zone = "public" + @selinux_config = Y2Security::SelinuxConfig.new end # Load the default values defined in the control file diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 8b831e61..63444bd0 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -200,5 +200,29 @@ def help ) end end + + class SelinuxPolicy < CWM::ComboBox + def initialize(settings) + textdomain "firewall" + + @settings = settings + end + + def label + _("SELinux Policy") + end + + def items + @settings.selinux_config.modes.map { |m| [m.id, m.to_human_string] } + end + + def init + self.value = @settings.selinux_config.mode.id + end + + def store + @settings.selinux_config.mode = value + end + end end end From f4e6caf7a145c5a3aad73dbe0b34ff04e52c754a Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 12:32:41 +0100 Subject: [PATCH 02/21] write properly settings to bootloader proposal --- src/lib/y2firewall/proposal_settings.rb | 1 + src/lib/y2firewall/widgets/proposal.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb index fc4d9575..0efa479d 100644 --- a/src/lib/y2firewall/proposal_settings.rb +++ b/src/lib/y2firewall/proposal_settings.rb @@ -59,6 +59,7 @@ def initialize # chose a different one in the proposal @default_zone = "public" @selinux_config = Y2Security::SelinuxConfig.new + @selinux_config.save # lets write the proposal to sync the initial state end # Load the default values defined in the control file diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 63444bd0..257dd025 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -222,6 +222,7 @@ def init def store @settings.selinux_config.mode = value + @settings.selinux_config.save end end end From a9915dea09429b5aa16ba4aeed2a8e12a0c28b36 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 15:26:26 +0100 Subject: [PATCH 03/21] fix syntax --- src/lib/y2firewall/dialogs/proposal.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index a6cd9837..4ddfd29a 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -66,6 +66,7 @@ def contents ) ) ) + end end def abort_button From 5196253f7058e98aab8ddaa97c4a6bbe48d5f0bf Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 15:57:46 +0100 Subject: [PATCH 04/21] fix return value --- src/lib/y2firewall/dialogs/proposal.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index 4ddfd29a..e32e15a7 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -55,6 +55,7 @@ def contents ) ) ) + if @settings.selinux_config.configurable? res.params << Frame( _("SELinux"), @@ -67,6 +68,8 @@ def contents ) ) end + + res end def abort_button From 3146f575099d480a92be41465e777b5acf208e66 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 16:10:29 +0100 Subject: [PATCH 05/21] improve wording --- src/lib/y2firewall/clients/proposal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb index 329635d6..aae84556 100644 --- a/src/lib/y2firewall/clients/proposal.rb +++ b/src/lib/y2firewall/clients/proposal.rb @@ -225,7 +225,7 @@ def selinux_proposal return nil unless @settings.selinux_config.configurable? _( - "Selinux Default Policy %s" + "Selinux Default Policy is %s" ) % @settings.selinux_config.mode.to_human_string end end From 4fee4620b7ab61e364218f75aa22891b920cbe98 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 3 Feb 2021 20:33:51 +0100 Subject: [PATCH 06/21] fix initial bootloader params as force proposal discards selinux configuration --- src/lib/y2firewall/clients/installation_finish.rb | 1 + src/lib/y2firewall/proposal_settings.rb | 1 - src/lib/y2firewall/widgets/proposal.rb | 1 - 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lib/y2firewall/clients/installation_finish.rb b/src/lib/y2firewall/clients/installation_finish.rb index 10521131..10f03598 100644 --- a/src/lib/y2firewall/clients/installation_finish.rb +++ b/src/lib/y2firewall/clients/installation_finish.rb @@ -57,6 +57,7 @@ def modes def write Service.Enable("sshd") if @settings.enable_sshd configure_firewall if @firewalld.installed? + @settings.selinux_config.save true end diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb index 0efa479d..fc4d9575 100644 --- a/src/lib/y2firewall/proposal_settings.rb +++ b/src/lib/y2firewall/proposal_settings.rb @@ -59,7 +59,6 @@ def initialize # chose a different one in the proposal @default_zone = "public" @selinux_config = Y2Security::SelinuxConfig.new - @selinux_config.save # lets write the proposal to sync the initial state end # Load the default values defined in the control file diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 257dd025..63444bd0 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -222,7 +222,6 @@ def init def store @settings.selinux_config.mode = value - @settings.selinux_config.save end end end From 30a5447e85e2df986e2c841ce047fa4d0f139640 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 4 Feb 2021 10:03:12 +0100 Subject: [PATCH 07/21] add documentation --- src/lib/y2firewall/widgets/proposal.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 63444bd0..efb4525d 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -201,6 +201,7 @@ def help end end + # widget to set selinux policy class SelinuxPolicy < CWM::ComboBox def initialize(settings) textdomain "firewall" From d56663ae78507e626d7632917d443c731cfc456b Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 4 Feb 2021 10:33:32 +0100 Subject: [PATCH 08/21] changes and spec adaptation --- Dockerfile | 1 + package/yast2-firewall.changes | 9 ++++++++- package/yast2-firewall.spec | 6 ++++-- test/lib/y2firewall/proposal_settings_test.rb | 4 ++++ 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 159e190b..067bae64 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,4 @@ FROM registry.opensuse.org/yast/sle-15/sp2/containers/yast-ruby +RUN zypper --non-interactive in --no-recommends yast2-security COPY . /usr/src/app diff --git a/package/yast2-firewall.changes b/package/yast2-firewall.changes index 5ea89ecc..8f73b6b2 100644 --- a/package/yast2-firewall.changes +++ b/package/yast2-firewall.changes @@ -1,8 +1,15 @@ +------------------------------------------------------------------- +Thu Feb 4 09:14:13 UTC 2021 - Josef Reidinger + +- Add to firewall/security proposal option to setup selinux if + given product require it. (jsc#SLE-17427) +- 4.2.6 + ------------------------------------------------------------------- Fri Oct 16 15:15:49 UTC 2020 - Josef Reidinger - Do not enable firewall during first stage of AutoYaST - (bsc#1177778) + (bsc#1177778) - 4.2.5 ------------------------------------------------------------------- diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec index 5e6ad71b..9a1cd810 100644 --- a/package/yast2-firewall.spec +++ b/package/yast2-firewall.spec @@ -17,7 +17,7 @@ Name: yast2-firewall -Version: 4.2.5 +Version: 4.2.6 Release: 0 Summary: YaST2 - Firewall Configuration Group: System/YaST @@ -26,8 +26,10 @@ Url: https://github.com/yast/yast-firewall Source0: %{name}-%{version}.tar.bz2 -BuildRequires: perl-XML-Writer update-desktop-files yast2-testsuite +BuildRequires: update-desktop-files BuildRequires: yast2-devtools >= 4.2.2 +# for proposing selinux +BuildRequires: yast2-security >= 4.2.15 # Removed zone name from common attributes definition BuildRequires: yast2 >= 4.1.67 BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake) diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb index de70413b..8c383dbf 100755 --- a/test/lib/y2firewall/proposal_settings_test.rb +++ b/test/lib/y2firewall/proposal_settings_test.rb @@ -54,6 +54,10 @@ described_class.create_instance end + it "initializes selinux configuration" do + expect(subject.selinux_config).to be_a(Y2Security::SelinuxConfig) + end + context "when firewall has been enabled in the control file" do let(:global_section) { { "enable_firewall" => true, "enable_sshd" => false } } From 5590ccc47ec47e7d86c5026579fe49f56cf1786b Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 4 Feb 2021 10:49:34 +0100 Subject: [PATCH 09/21] improve tests --- .../y2firewall/clients/installation_finish_test.rb | 4 ++++ test/lib/y2firewall/widgets/proposal_test.rb | 6 ++++++ test/test_helper.rb | 11 +++++++++++ 3 files changed, 21 insertions(+) diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb index a3de7e62..7b1b904b 100644 --- a/test/lib/y2firewall/clients/installation_finish_test.rb +++ b/test/lib/y2firewall/clients/installation_finish_test.rb @@ -42,6 +42,10 @@ subject.write end + it "saves selinux policy" do + expect(proposal_settings.selinux_config).to receive(:save) + end + context "when firewalld is not installed" do let(:installed) { false } diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb index 8ace9da4..1b617246 100644 --- a/test/lib/y2firewall/widgets/proposal_test.rb +++ b/test/lib/y2firewall/widgets/proposal_test.rb @@ -330,4 +330,10 @@ end end end + + describe Y2Firewall::Widgets::SelinuxPolicy do + subject { described_class.new(proposal_settings) } + + include_examples "CWM::ComboBox" + end end diff --git a/test/test_helper.rb b/test/test_helper.rb index 20c4cf7e..4ff55464 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -44,6 +44,17 @@ def stub_module(name, fake_class = nil) ENV["LANG"] = "en_US.UTF-8" ENV["LC_ALL"] = "en_US.UTF-8" +RSpec.configure do |config| + config.mock_with :rspec do |mocks| + # If you misremember a method name both in code and in tests, + # will save you. + # https://relishapp.com/rspec/rspec-mocks/v/3-0/docs/verifying-doubles/partial-doubles + # + # With graceful degradation for RSpec 2 + mocks.verify_partial_doubles = true if mocks.respond_to?(:verify_partial_doubles=) + end +end + if ENV["COVERAGE"] require "simplecov" SimpleCov.start do From 636ce3e10b2b6c893d7abbd8c1584884530e78b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Knut=20Alejandro=20Anderssen=20Gonz=C3=A1lez?= Date: Fri, 5 Feb 2021 18:01:33 +0000 Subject: [PATCH 10/21] Fix failing unit tests for selinux config --- src/lib/y2firewall/dialogs/proposal.rb | 62 ++++++++++--------- src/lib/y2firewall/proposal_settings.rb | 9 ++- .../clients/installation_finish_test.rb | 5 ++ test/lib/y2firewall/clients/proposal_test.rb | 1 + test/lib/y2firewall/dialogs/proposal_test.rb | 4 ++ test/lib/y2firewall/proposal_settings_test.rb | 16 +++-- test/lib/y2firewall/widgets/proposal_test.rb | 6 ++ test/test_helper.rb | 2 +- 8 files changed, 69 insertions(+), 36 deletions(-) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index e32e15a7..a65453ba 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -41,34 +41,8 @@ def title end def contents - res = VBox( - Frame( - _("Firewall and SSH service"), - HSquash( - MarginBox( - 0.5, - 0.5, - VBox( - Widgets::FirewallSSHProposal.new(@settings) - ) - ) - ) - ) - ) - - if @settings.selinux_config.configurable? - res.params << Frame( - _("SELinux"), - MarginBox( - 0.5, - 0.5, - VBox( - Widgets::SelinuxPolicy.new(@settings) - ) - ) - ) - end - + res = VBox(firewall_ssh_content) + res.params << selinux_content if selinux_configurable? res end @@ -91,6 +65,38 @@ def disable_buttons protected + def selinux_configurable? + @settings.selinux_config.configurable? + end + + def firewall_ssh_content + Frame( + _("Firewall and SSH service"), + HSquash( + MarginBox( + 0.5, + 0.5, + VBox( + Widgets::FirewallSSHProposal.new(@settings) + ) + ) + ) + ) + end + + def selinux_content + Frame( + _("SELinux"), + MarginBox( + 0.5, + 0.5, + VBox( + Widgets::SelinuxPolicy.new(@settings) + ) + ) + ) + end + # Hostname of the current system. # # Getting the hostname is sometimes a little bit slow, so the value is diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb index fc4d9575..5e24b3b5 100644 --- a/src/lib/y2firewall/proposal_settings.rb +++ b/src/lib/y2firewall/proposal_settings.rb @@ -40,8 +40,6 @@ class ProposalSettings attr_accessor :open_vnc # [String] Name of the default zone where perform the changes attr_accessor :default_zone - # [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2, - # for newer code streams it lives in security_setttings in yast2-installation. attr_accessor :selinux_config # Constructor @@ -58,7 +56,6 @@ def initialize # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to # chose a different one in the proposal @default_zone = "public" - @selinux_config = Y2Security::SelinuxConfig.new end # Load the default values defined in the control file @@ -127,6 +124,12 @@ def close_vnc! self.open_vnc = false end + # @return [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2, + # for newer code streams it lives in security_setttings in yast2-installation. + def selinux_config + @selinux_config ||= Y2Security::SelinuxConfig.new + end + private def load_feature(feature, to, source: global_section) diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb index 7b1b904b..2abb63cb 100644 --- a/test/lib/y2firewall/clients/installation_finish_test.rb +++ b/test/lib/y2firewall/clients/installation_finish_test.rb @@ -8,10 +8,12 @@ describe Y2Firewall::Clients::InstallationFinish do before do allow_any_instance_of(Y2Firewall::Firewalld::Api).to receive(:running?).and_return(false) + allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config) end let(:proposal_settings) { Y2Firewall::ProposalSettings.instance } let(:firewalld) { Y2Firewall::Firewalld.instance } + let(:selinux_config) { double("SelinuxConfig", save: true, configurable?: true) } describe "#title" do it "returns translated string" do @@ -33,6 +35,7 @@ allow(proposal_settings).to receive(:enable_sshd).and_return(enable_sshd) allow(firewalld).to receive(:installed?).and_return(installed) allow(proposal_settings).to receive(:open_ssh).and_return(false) + allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config) end it "enables the sshd service if enabled in the proposal" do @@ -44,6 +47,8 @@ it "saves selinux policy" do expect(proposal_settings.selinux_config).to receive(:save) + + subject.write end context "when firewalld is not installed" do diff --git a/test/lib/y2firewall/clients/proposal_test.rb b/test/lib/y2firewall/clients/proposal_test.rb index b25a38cd..14186e20 100644 --- a/test/lib/y2firewall/clients/proposal_test.rb +++ b/test/lib/y2firewall/clients/proposal_test.rb @@ -30,6 +30,7 @@ before do # skip bootloader proposal to avoid build dependency on it allow(subject).to receive(:cpu_mitigations_proposal) + allow(subject).to receive(:selinux_proposal) end describe "#initialize" do diff --git a/test/lib/y2firewall/dialogs/proposal_test.rb b/test/lib/y2firewall/dialogs/proposal_test.rb index 58da98eb..7aae13e6 100644 --- a/test/lib/y2firewall/dialogs/proposal_test.rb +++ b/test/lib/y2firewall/dialogs/proposal_test.rb @@ -29,5 +29,9 @@ subject { described_class.new(settings) } + before do + allow(subject).to receive(:selinux_configurable?).and_return(false) + end + include_examples "CWM::Dialog" end diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb index 8c383dbf..c8f329f6 100755 --- a/test/lib/y2firewall/proposal_settings_test.rb +++ b/test/lib/y2firewall/proposal_settings_test.rb @@ -54,10 +54,6 @@ described_class.create_instance end - it "initializes selinux configuration" do - expect(subject.selinux_config).to be_a(Y2Security::SelinuxConfig) - end - context "when firewall has been enabled in the control file" do let(:global_section) { { "enable_firewall" => true, "enable_sshd" => false } } @@ -110,6 +106,18 @@ end end + describe "#selinux_config" do + let(:selinux_config) { double("Y2Security::SelinuxConfig") } + + before do + allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config) + end + + it "returns a SelinuxConfig object" do + expect(subject.selinux_config).to eq(selinux_config) + end + end + describe "#enable_firewall!" do it "sets firewalld service to be enabled" do allow(Yast::PackagesProposal).to receive("AddResolvables") diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb index 1b617246..f24a3c2f 100644 --- a/test/lib/y2firewall/widgets/proposal_test.rb +++ b/test/lib/y2firewall/widgets/proposal_test.rb @@ -334,6 +334,12 @@ describe Y2Firewall::Widgets::SelinuxPolicy do subject { described_class.new(proposal_settings) } + let(:selinux_config) { instance_double("Y2Security::SelinuxConfig", modes: []) } + + before do + allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config) + end + include_examples "CWM::ComboBox" end end diff --git a/test/test_helper.rb b/test/test_helper.rb index 4ff55464..6496113f 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -35,7 +35,7 @@ def stub_module(name, fake_class = nil) end # stub classes from other modules to speed up a build -stub_module("AutoInstall") +stub_module("AutoInstall", Class.new { def issues_list; []; end }) # rubocop:disable Style/SingleLineMethods # rubocop:disable Style/MethodName stub_module("UsersSimple", Class.new { def self.GetRootPassword; "secret"; end }) From 788f4efa8dfd3dcc0d039755816002e925d1d68d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?= Date: Thu, 11 Feb 2021 14:57:48 +0000 Subject: [PATCH 11/21] Use Y2Security::Selinux instead of Y2Security::SelinuxConfig Because it was renamed in yast2-security 4.2.16. Remove some no longer needed mocking too. --- src/lib/y2firewall/proposal_settings.rb | 13 ++++++++----- .../y2firewall/clients/installation_finish_test.rb | 4 +--- test/lib/y2firewall/proposal_settings_test.rb | 10 ++-------- test/lib/y2firewall/widgets/proposal_test.rb | 10 +++------- 4 files changed, 14 insertions(+), 23 deletions(-) diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb index 5e24b3b5..a24c9f72 100644 --- a/src/lib/y2firewall/proposal_settings.rb +++ b/src/lib/y2firewall/proposal_settings.rb @@ -22,7 +22,7 @@ require "yast" Yast.import "UsersSimple" -require "y2security/selinux_config" +require "y2security/selinux" module Y2Firewall # Class that stores the proposal settings for firewalld during installation. @@ -40,7 +40,6 @@ class ProposalSettings attr_accessor :open_vnc # [String] Name of the default zone where perform the changes attr_accessor :default_zone - attr_accessor :selinux_config # Constructor def initialize @@ -124,10 +123,14 @@ def close_vnc! self.open_vnc = false end - # @return [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2, - # for newer code streams it lives in security_setttings in yast2-installation. + # Returns a SELinux configuration handler + # + # @note this is here only for SLE-15-SP2 and derivated products. Newer code + # streams will have it in the yast2-installation -> security settings + # + # @return [Y2Security::Selinux] the SELinux config handler def selinux_config - @selinux_config ||= Y2Security::SelinuxConfig.new + @selinux_config ||= Y2Security::Selinux.new end private diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb index 2abb63cb..735d2f2b 100644 --- a/test/lib/y2firewall/clients/installation_finish_test.rb +++ b/test/lib/y2firewall/clients/installation_finish_test.rb @@ -8,12 +8,10 @@ describe Y2Firewall::Clients::InstallationFinish do before do allow_any_instance_of(Y2Firewall::Firewalld::Api).to receive(:running?).and_return(false) - allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config) end let(:proposal_settings) { Y2Firewall::ProposalSettings.instance } let(:firewalld) { Y2Firewall::Firewalld.instance } - let(:selinux_config) { double("SelinuxConfig", save: true, configurable?: true) } describe "#title" do it "returns translated string" do @@ -35,7 +33,7 @@ allow(proposal_settings).to receive(:enable_sshd).and_return(enable_sshd) allow(firewalld).to receive(:installed?).and_return(installed) allow(proposal_settings).to receive(:open_ssh).and_return(false) - allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config) + allow(proposal_settings.selinux_config).to receive(:save).and_return(true) end it "enables the sshd service if enabled in the proposal" do diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb index c8f329f6..5ba70b8b 100755 --- a/test/lib/y2firewall/proposal_settings_test.rb +++ b/test/lib/y2firewall/proposal_settings_test.rb @@ -107,14 +107,8 @@ end describe "#selinux_config" do - let(:selinux_config) { double("Y2Security::SelinuxConfig") } - - before do - allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config) - end - - it "returns a SelinuxConfig object" do - expect(subject.selinux_config).to eq(selinux_config) + it "returns a Y2Security::Selinux instance" do + expect(subject.selinux_config).to be_a(Y2Security::Selinux) end end diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb index f24a3c2f..34671769 100644 --- a/test/lib/y2firewall/widgets/proposal_test.rb +++ b/test/lib/y2firewall/widgets/proposal_test.rb @@ -30,10 +30,12 @@ end describe Y2Firewall::Widgets do + let(:selinux_config) { instance_double(Y2Security::Selinux, modes: []) } + let(:proposal_settings) do instance_double( Y2Firewall::ProposalSettings, enable_firewall: true, enable_sshd: true, - open_ssh: true, open_vnc: true + open_ssh: true, open_vnc: true, selinux_config: selinux_config ) end @@ -334,12 +336,6 @@ describe Y2Firewall::Widgets::SelinuxPolicy do subject { described_class.new(proposal_settings) } - let(:selinux_config) { instance_double("Y2Security::SelinuxConfig", modes: []) } - - before do - allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config) - end - include_examples "CWM::ComboBox" end end From 054cd1774411c488f3d3e3ede40b8396edb5a175 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?= Date: Thu, 11 Feb 2021 15:01:07 +0000 Subject: [PATCH 12/21] Fix Rubocop offenses --- test/test_helper.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/test_helper.rb b/test/test_helper.rb index 6496113f..841bfb1c 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -35,10 +35,12 @@ def stub_module(name, fake_class = nil) end # stub classes from other modules to speed up a build -stub_module("AutoInstall", Class.new { def issues_list; []; end }) # rubocop:disable Style/SingleLineMethods # rubocop:disable Style/MethodName +stub_module("AutoInstall", Class.new { def issues_list; []; end }) stub_module("UsersSimple", Class.new { def self.GetRootPassword; "secret"; end }) +# rubocop:enable Style/SingleLineMethods +# rubocop:enable Style/MethodName # some tests have translatable messages ENV["LANG"] = "en_US.UTF-8" From 1898baece234255f049b26826bf7cbbcd7cea404 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?= Date: Thu, 11 Feb 2021 15:03:52 +0000 Subject: [PATCH 13/21] Rename SelinuxPolicy to SelinuxMode Actually what we are setting is the SELinux mode, not its policies. --- src/lib/y2firewall/clients/proposal.rb | 2 +- src/lib/y2firewall/dialogs/proposal.rb | 2 +- src/lib/y2firewall/widgets/proposal.rb | 6 +++--- test/lib/y2firewall/clients/installation_finish_test.rb | 2 +- test/lib/y2firewall/widgets/proposal_test.rb | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb index aae84556..a4ecc9d5 100644 --- a/src/lib/y2firewall/clients/proposal.rb +++ b/src/lib/y2firewall/clients/proposal.rb @@ -225,7 +225,7 @@ def selinux_proposal return nil unless @settings.selinux_config.configurable? _( - "Selinux Default Policy is %s" + "Selinux Default Mode is %s" ) % @settings.selinux_config.mode.to_human_string end end diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index a65453ba..f701a798 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -91,7 +91,7 @@ def selinux_content 0.5, 0.5, VBox( - Widgets::SelinuxPolicy.new(@settings) + Widgets::SelinuxMode.new(@settings) ) ) ) diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index efb4525d..8fe4303f 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -201,8 +201,8 @@ def help end end - # widget to set selinux policy - class SelinuxPolicy < CWM::ComboBox + # Widget to set SELinux mode + class SelinuxMode < CWM::ComboBox def initialize(settings) textdomain "firewall" @@ -210,7 +210,7 @@ def initialize(settings) end def label - _("SELinux Policy") + _("SELinux Mode") end def items diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb index 735d2f2b..3602ea00 100644 --- a/test/lib/y2firewall/clients/installation_finish_test.rb +++ b/test/lib/y2firewall/clients/installation_finish_test.rb @@ -43,7 +43,7 @@ subject.write end - it "saves selinux policy" do + it "saves selinux config" do expect(proposal_settings.selinux_config).to receive(:save) subject.write diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb index 34671769..773da7e8 100644 --- a/test/lib/y2firewall/widgets/proposal_test.rb +++ b/test/lib/y2firewall/widgets/proposal_test.rb @@ -333,7 +333,7 @@ end end - describe Y2Firewall::Widgets::SelinuxPolicy do + describe Y2Firewall::Widgets::SelinuxMode do subject { described_class.new(proposal_settings) } include_examples "CWM::ComboBox" From 28a5e4ae385c2e839145000dabcfba3d9a3aebaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?= Date: Thu, 11 Feb 2021 15:18:48 +0000 Subject: [PATCH 14/21] Update and the proposal dialog Adding more unit tests to check if Y2Firewall::Widgets::SelinuxMode is rendered when expected. --- src/lib/y2firewall/dialogs/proposal.rb | 7 +++-- test/lib/y2firewall/dialogs/proposal_test.rb | 29 ++++++++++++++++++-- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index f701a798..d414e278 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -41,9 +41,10 @@ def title end def contents - res = VBox(firewall_ssh_content) - res.params << selinux_content if selinux_configurable? - res + content = [firewall_ssh_content] + content << selinux_content if selinux_configurable? + + VBox(*content) end def abort_button diff --git a/test/lib/y2firewall/dialogs/proposal_test.rb b/test/lib/y2firewall/dialogs/proposal_test.rb index 7aae13e6..9fc792be 100644 --- a/test/lib/y2firewall/dialogs/proposal_test.rb +++ b/test/lib/y2firewall/dialogs/proposal_test.rb @@ -25,13 +25,36 @@ require "y2firewall/dialogs/proposal" describe Y2Firewall::Dialogs::Proposal do - let(:settings) { instance_double("Y2Firewall::ProposalSettings") } - subject { described_class.new(settings) } + let(:settings) { instance_double("Y2Firewall::ProposalSettings") } + let(:selinux_configurable) { false } + before do - allow(subject).to receive(:selinux_configurable?).and_return(false) + allow(subject).to receive(:selinux_configurable?) + .and_return(selinux_configurable) end include_examples "CWM::Dialog" + + describe "#contents" do + let(:widgets) { Yast::CWM.widgets_in_contents([subject.contents]) } + let(:selinux_mode_widget) { widgets.find { |w| w.is_a?(Y2Firewall::Widgets::SelinuxMode) } } + + context "when SELinux is set to be configurable" do + let(:selinux_configurable) { true } + + it "contains the Y2Firewall::Widgets::SelinuxMode content" do + expect(selinux_mode_widget).to_not be_nil + end + end + + context "when SELinux is set to not be configurable" do + let(:selinux_configurable) { false } + + it "does not contain the Y2Firewall::Widgets::SelinuxMode content" do + expect(selinux_mode_widget).to be_nil + end + end + end end From f5947a5852088732a446244c9f9e5a35fb2c00ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?= Date: Thu, 11 Feb 2021 15:23:08 +0000 Subject: [PATCH 15/21] Update dependency --- package/yast2-firewall.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec index 9a1cd810..2f809b98 100644 --- a/package/yast2-firewall.spec +++ b/package/yast2-firewall.spec @@ -29,7 +29,7 @@ Source0: %{name}-%{version}.tar.bz2 BuildRequires: update-desktop-files BuildRequires: yast2-devtools >= 4.2.2 # for proposing selinux -BuildRequires: yast2-security >= 4.2.15 +BuildRequires: yast2-security >= 4.2.16 # Removed zone name from common attributes definition BuildRequires: yast2 >= 4.1.67 BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake) From 13d72b3fb89b984f3bd385da74b3891c248b05ce Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 11 Feb 2021 20:16:59 +0100 Subject: [PATCH 16/21] implement needed pattern for selinux --- src/lib/y2firewall/clients/proposal.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb index a4ecc9d5..eebe9bd4 100644 --- a/src/lib/y2firewall/clients/proposal.rb +++ b/src/lib/y2firewall/clients/proposal.rb @@ -224,6 +224,10 @@ def sshd_proposal def selinux_proposal return nil unless @settings.selinux_config.configurable? + # add required patterns + Yast.import "PackagesProposal" + Yast::PackagesProposal.SetResolvables("SELinux", :pattern, @settings.selinux_config.needed_patterns) + _( "Selinux Default Mode is %s" ) % @settings.selinux_config.mode.to_human_string From 222cc65d2abc2bbfc014e4b19939f3600cba46ac Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 11 Feb 2021 23:00:23 +0100 Subject: [PATCH 17/21] make rubocop happy --- src/lib/y2firewall/clients/proposal.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb index eebe9bd4..d5dd009d 100644 --- a/src/lib/y2firewall/clients/proposal.rb +++ b/src/lib/y2firewall/clients/proposal.rb @@ -226,7 +226,8 @@ def selinux_proposal # add required patterns Yast.import "PackagesProposal" - Yast::PackagesProposal.SetResolvables("SELinux", :pattern, @settings.selinux_config.needed_patterns) + Yast::PackagesProposal.SetResolvables("SELinux", :pattern, + @settings.selinux_config.needed_patterns) _( "Selinux Default Mode is %s" From 310cbb69f704c86df1f5cd3622794cef69b08f0a Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 11 Feb 2021 23:16:13 +0100 Subject: [PATCH 18/21] try improved layout --- src/lib/y2firewall/dialogs/proposal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index d414e278..9c4da500 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -44,7 +44,7 @@ def contents content = [firewall_ssh_content] content << selinux_content if selinux_configurable? - VBox(*content) + HVCenter(Left(VBox(*content))) end def abort_button From 369bb15411f2c32a4c0f3db31816e2a94cea5862 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Fri, 12 Feb 2021 09:24:24 +0100 Subject: [PATCH 19/21] another attempt for better layout --- src/lib/y2firewall/dialogs/proposal.rb | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb index 9c4da500..39c7c472 100644 --- a/src/lib/y2firewall/dialogs/proposal.rb +++ b/src/lib/y2firewall/dialogs/proposal.rb @@ -41,10 +41,18 @@ def title end def contents - content = [firewall_ssh_content] - content << selinux_content if selinux_configurable? - - HVCenter(Left(VBox(*content))) + content = [Left(firewall_ssh_content)] + content << Left(selinux_content) if selinux_configurable? + + HBox( + HStretch(), + VBox( + VStretch(), + *content, + VStretch() + ), + HStretch() + ) end def abort_button From 432e112f72df82f8021974ad37465311d8ec1e91 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Fri, 12 Feb 2021 17:45:17 +0100 Subject: [PATCH 20/21] changes from review and help text --- package/yast2-firewall.spec | 2 +- src/lib/y2firewall/widgets/proposal.rb | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec index 2f809b98..aa6ad5c7 100644 --- a/package/yast2-firewall.spec +++ b/package/yast2-firewall.spec @@ -29,7 +29,7 @@ Source0: %{name}-%{version}.tar.bz2 BuildRequires: update-desktop-files BuildRequires: yast2-devtools >= 4.2.2 # for proposing selinux -BuildRequires: yast2-security >= 4.2.16 +BuildRequires: yast2-security >= 4.2.17 # Removed zone name from common attributes definition BuildRequires: yast2 >= 4.1.67 BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake) diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 8fe4303f..16c8bb8c 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -210,7 +210,8 @@ def initialize(settings) end def label - _("SELinux Mode") + # TRANSLATORS: SELinu Mode just SELinux is already content of frame. + _("Mode") end def items @@ -224,6 +225,18 @@ def init def store @settings.selinux_config.mode = value end + + def help + _( + "

Sets default selinux mode. Modes are:

    " \ + "
  • Enforcing the state that enforces SELinux security policy. "\ + "Access is denied to users and programs unless permitted by " \ + "SELinux security policy rules. All denial messages are logged.
    • "\ + "Permissive is a diagnostic state. The security policy rules are " \ + "not enforced, but SELinux sends denial messages to a log file." \ + "Disabled SELinux does not enforce a security policy.

" + ) + end end end end From 4c1d0ef2db1f982959124186dbd374d722369773 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Fri, 12 Feb 2021 18:52:18 +0100 Subject: [PATCH 21/21] Update src/lib/y2firewall/widgets/proposal.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: David Díaz <1691872+dgdavid@users.noreply.github.com> --- src/lib/y2firewall/widgets/proposal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb index 16c8bb8c..efabba8e 100644 --- a/src/lib/y2firewall/widgets/proposal.rb +++ b/src/lib/y2firewall/widgets/proposal.rb @@ -228,7 +228,7 @@ def store def help _( - "

Sets default selinux mode. Modes are:

    " \ + "

    Sets default SELinux mode. Modes are:

      " \ "
    • Enforcing the state that enforces SELinux security policy. "\ "Access is denied to users and programs unless permitted by " \ "SELinux security policy rules. All denial messages are logged.
      • "\