From af302774827114299e9ab3ad812bb6b336eb2848 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 12:30:24 +0100
Subject: [PATCH 01/21] add selinux to proposal
---
src/lib/y2firewall/clients/proposal.rb | 12 +++++++++++-
src/lib/y2firewall/dialogs/proposal.rb | 13 ++++++++++++-
src/lib/y2firewall/proposal_settings.rb | 5 +++++
src/lib/y2firewall/widgets/proposal.rb | 24 ++++++++++++++++++++++++
4 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb
index c9ad0a4d..329635d6 100644
--- a/src/lib/y2firewall/clients/proposal.rb
+++ b/src/lib/y2firewall/clients/proposal.rb
@@ -122,7 +122,7 @@ def call_proposal_action_for(link)
def proposals
# Filter proposals with content
[cpu_mitigations_proposal, firewall_proposal, sshd_proposal,
- ssh_port_proposal, vnc_fw_proposal].compact
+ ssh_port_proposal, vnc_fw_proposal, selinux_proposal].compact
end
# Returns the cpu mitigation part of the bootloader proposal description
@@ -218,6 +218,16 @@ def sshd_proposal
) % LINK_ENABLE_SSHD
end
end
+
+ # Returns the Selinux config description
+ # @return [String, nil] proposal html text or nil if not configurable
+ def selinux_proposal
+ return nil unless @settings.selinux_config.configurable?
+
+ _(
+ "Selinux Default Policy %s"
+ ) % @settings.selinux_config.mode.to_human_string
+ end
end
end
end
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index c749a6be..a6cd9837 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -41,7 +41,7 @@ def title
end
def contents
- VBox(
+ res = VBox(
Frame(
_("Firewall and SSH service"),
HSquash(
@@ -55,6 +55,17 @@ def contents
)
)
)
+ if @settings.selinux_config.configurable?
+ res.params << Frame(
+ _("SELinux"),
+ MarginBox(
+ 0.5,
+ 0.5,
+ VBox(
+ Widgets::SelinuxPolicy.new(@settings)
+ )
+ )
+ )
end
def abort_button
diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb
index ae33f635..fc4d9575 100644
--- a/src/lib/y2firewall/proposal_settings.rb
+++ b/src/lib/y2firewall/proposal_settings.rb
@@ -22,6 +22,7 @@
require "yast"
Yast.import "UsersSimple"
+require "y2security/selinux_config"
module Y2Firewall
# Class that stores the proposal settings for firewalld during installation.
@@ -39,6 +40,9 @@ class ProposalSettings
attr_accessor :open_vnc
# [String] Name of the default zone where perform the changes
attr_accessor :default_zone
+ # [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2,
+ # for newer code streams it lives in security_setttings in yast2-installation.
+ attr_accessor :selinux_config
# Constructor
def initialize
@@ -54,6 +58,7 @@ def initialize
# FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
# chose a different one in the proposal
@default_zone = "public"
+ @selinux_config = Y2Security::SelinuxConfig.new
end
# Load the default values defined in the control file
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 8b831e61..63444bd0 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -200,5 +200,29 @@ def help
)
end
end
+
+ class SelinuxPolicy < CWM::ComboBox
+ def initialize(settings)
+ textdomain "firewall"
+
+ @settings = settings
+ end
+
+ def label
+ _("SELinux Policy")
+ end
+
+ def items
+ @settings.selinux_config.modes.map { |m| [m.id, m.to_human_string] }
+ end
+
+ def init
+ self.value = @settings.selinux_config.mode.id
+ end
+
+ def store
+ @settings.selinux_config.mode = value
+ end
+ end
end
end
From f4e6caf7a145c5a3aad73dbe0b34ff04e52c754a Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 12:32:41 +0100
Subject: [PATCH 02/21] write properly settings to bootloader proposal
---
src/lib/y2firewall/proposal_settings.rb | 1 +
src/lib/y2firewall/widgets/proposal.rb | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb
index fc4d9575..0efa479d 100644
--- a/src/lib/y2firewall/proposal_settings.rb
+++ b/src/lib/y2firewall/proposal_settings.rb
@@ -59,6 +59,7 @@ def initialize
# chose a different one in the proposal
@default_zone = "public"
@selinux_config = Y2Security::SelinuxConfig.new
+ @selinux_config.save # lets write the proposal to sync the initial state
end
# Load the default values defined in the control file
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 63444bd0..257dd025 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -222,6 +222,7 @@ def init
def store
@settings.selinux_config.mode = value
+ @settings.selinux_config.save
end
end
end
From a9915dea09429b5aa16ba4aeed2a8e12a0c28b36 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 15:26:26 +0100
Subject: [PATCH 03/21] fix syntax
---
src/lib/y2firewall/dialogs/proposal.rb | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index a6cd9837..4ddfd29a 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -66,6 +66,7 @@ def contents
)
)
)
+ end
end
def abort_button
From 5196253f7058e98aab8ddaa97c4a6bbe48d5f0bf Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 15:57:46 +0100
Subject: [PATCH 04/21] fix return value
---
src/lib/y2firewall/dialogs/proposal.rb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index 4ddfd29a..e32e15a7 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -55,6 +55,7 @@ def contents
)
)
)
+
if @settings.selinux_config.configurable?
res.params << Frame(
_("SELinux"),
@@ -67,6 +68,8 @@ def contents
)
)
end
+
+ res
end
def abort_button
From 3146f575099d480a92be41465e777b5acf208e66 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 16:10:29 +0100
Subject: [PATCH 05/21] improve wording
---
src/lib/y2firewall/clients/proposal.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb
index 329635d6..aae84556 100644
--- a/src/lib/y2firewall/clients/proposal.rb
+++ b/src/lib/y2firewall/clients/proposal.rb
@@ -225,7 +225,7 @@ def selinux_proposal
return nil unless @settings.selinux_config.configurable?
_(
- "Selinux Default Policy %s"
+ "Selinux Default Policy is %s"
) % @settings.selinux_config.mode.to_human_string
end
end
From 4fee4620b7ab61e364218f75aa22891b920cbe98 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Wed, 3 Feb 2021 20:33:51 +0100
Subject: [PATCH 06/21] fix initial bootloader params as force proposal
discards selinux configuration
---
src/lib/y2firewall/clients/installation_finish.rb | 1 +
src/lib/y2firewall/proposal_settings.rb | 1 -
src/lib/y2firewall/widgets/proposal.rb | 1 -
3 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lib/y2firewall/clients/installation_finish.rb b/src/lib/y2firewall/clients/installation_finish.rb
index 10521131..10f03598 100644
--- a/src/lib/y2firewall/clients/installation_finish.rb
+++ b/src/lib/y2firewall/clients/installation_finish.rb
@@ -57,6 +57,7 @@ def modes
def write
Service.Enable("sshd") if @settings.enable_sshd
configure_firewall if @firewalld.installed?
+ @settings.selinux_config.save
true
end
diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb
index 0efa479d..fc4d9575 100644
--- a/src/lib/y2firewall/proposal_settings.rb
+++ b/src/lib/y2firewall/proposal_settings.rb
@@ -59,7 +59,6 @@ def initialize
# chose a different one in the proposal
@default_zone = "public"
@selinux_config = Y2Security::SelinuxConfig.new
- @selinux_config.save # lets write the proposal to sync the initial state
end
# Load the default values defined in the control file
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 257dd025..63444bd0 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -222,7 +222,6 @@ def init
def store
@settings.selinux_config.mode = value
- @settings.selinux_config.save
end
end
end
From 30a5447e85e2df986e2c841ce047fa4d0f139640 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 4 Feb 2021 10:03:12 +0100
Subject: [PATCH 07/21] add documentation
---
src/lib/y2firewall/widgets/proposal.rb | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 63444bd0..efb4525d 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -201,6 +201,7 @@ def help
end
end
+ # widget to set selinux policy
class SelinuxPolicy < CWM::ComboBox
def initialize(settings)
textdomain "firewall"
From d56663ae78507e626d7632917d443c731cfc456b Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 4 Feb 2021 10:33:32 +0100
Subject: [PATCH 08/21] changes and spec adaptation
---
Dockerfile | 1 +
package/yast2-firewall.changes | 9 ++++++++-
package/yast2-firewall.spec | 6 ++++--
test/lib/y2firewall/proposal_settings_test.rb | 4 ++++
4 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 159e190b..067bae64 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
FROM registry.opensuse.org/yast/sle-15/sp2/containers/yast-ruby
+RUN zypper --non-interactive in --no-recommends yast2-security
COPY . /usr/src/app
diff --git a/package/yast2-firewall.changes b/package/yast2-firewall.changes
index 5ea89ecc..8f73b6b2 100644
--- a/package/yast2-firewall.changes
+++ b/package/yast2-firewall.changes
@@ -1,8 +1,15 @@
+-------------------------------------------------------------------
+Thu Feb 4 09:14:13 UTC 2021 - Josef Reidinger
+
+- Add to firewall/security proposal option to setup selinux if
+ given product require it. (jsc#SLE-17427)
+- 4.2.6
+
-------------------------------------------------------------------
Fri Oct 16 15:15:49 UTC 2020 - Josef Reidinger
- Do not enable firewall during first stage of AutoYaST
- (bsc#1177778)
+ (bsc#1177778)
- 4.2.5
-------------------------------------------------------------------
diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec
index 5e6ad71b..9a1cd810 100644
--- a/package/yast2-firewall.spec
+++ b/package/yast2-firewall.spec
@@ -17,7 +17,7 @@
Name: yast2-firewall
-Version: 4.2.5
+Version: 4.2.6
Release: 0
Summary: YaST2 - Firewall Configuration
Group: System/YaST
@@ -26,8 +26,10 @@ Url: https://github.com/yast/yast-firewall
Source0: %{name}-%{version}.tar.bz2
-BuildRequires: perl-XML-Writer update-desktop-files yast2-testsuite
+BuildRequires: update-desktop-files
BuildRequires: yast2-devtools >= 4.2.2
+# for proposing selinux
+BuildRequires: yast2-security >= 4.2.15
# Removed zone name from common attributes definition
BuildRequires: yast2 >= 4.1.67
BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake)
diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb
index de70413b..8c383dbf 100755
--- a/test/lib/y2firewall/proposal_settings_test.rb
+++ b/test/lib/y2firewall/proposal_settings_test.rb
@@ -54,6 +54,10 @@
described_class.create_instance
end
+ it "initializes selinux configuration" do
+ expect(subject.selinux_config).to be_a(Y2Security::SelinuxConfig)
+ end
+
context "when firewall has been enabled in the control file" do
let(:global_section) { { "enable_firewall" => true, "enable_sshd" => false } }
From 5590ccc47ec47e7d86c5026579fe49f56cf1786b Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 4 Feb 2021 10:49:34 +0100
Subject: [PATCH 09/21] improve tests
---
.../y2firewall/clients/installation_finish_test.rb | 4 ++++
test/lib/y2firewall/widgets/proposal_test.rb | 6 ++++++
test/test_helper.rb | 11 +++++++++++
3 files changed, 21 insertions(+)
diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb
index a3de7e62..7b1b904b 100644
--- a/test/lib/y2firewall/clients/installation_finish_test.rb
+++ b/test/lib/y2firewall/clients/installation_finish_test.rb
@@ -42,6 +42,10 @@
subject.write
end
+ it "saves selinux policy" do
+ expect(proposal_settings.selinux_config).to receive(:save)
+ end
+
context "when firewalld is not installed" do
let(:installed) { false }
diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb
index 8ace9da4..1b617246 100644
--- a/test/lib/y2firewall/widgets/proposal_test.rb
+++ b/test/lib/y2firewall/widgets/proposal_test.rb
@@ -330,4 +330,10 @@
end
end
end
+
+ describe Y2Firewall::Widgets::SelinuxPolicy do
+ subject { described_class.new(proposal_settings) }
+
+ include_examples "CWM::ComboBox"
+ end
end
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 20c4cf7e..4ff55464 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -44,6 +44,17 @@ def stub_module(name, fake_class = nil)
ENV["LANG"] = "en_US.UTF-8"
ENV["LC_ALL"] = "en_US.UTF-8"
+RSpec.configure do |config|
+ config.mock_with :rspec do |mocks|
+ # If you misremember a method name both in code and in tests,
+ # will save you.
+ # https://relishapp.com/rspec/rspec-mocks/v/3-0/docs/verifying-doubles/partial-doubles
+ #
+ # With graceful degradation for RSpec 2
+ mocks.verify_partial_doubles = true if mocks.respond_to?(:verify_partial_doubles=)
+ end
+end
+
if ENV["COVERAGE"]
require "simplecov"
SimpleCov.start do
From 636ce3e10b2b6c893d7abbd8c1584884530e78b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Knut=20Alejandro=20Anderssen=20Gonz=C3=A1lez?=
Date: Fri, 5 Feb 2021 18:01:33 +0000
Subject: [PATCH 10/21] Fix failing unit tests for selinux config
---
src/lib/y2firewall/dialogs/proposal.rb | 62 ++++++++++---------
src/lib/y2firewall/proposal_settings.rb | 9 ++-
.../clients/installation_finish_test.rb | 5 ++
test/lib/y2firewall/clients/proposal_test.rb | 1 +
test/lib/y2firewall/dialogs/proposal_test.rb | 4 ++
test/lib/y2firewall/proposal_settings_test.rb | 16 +++--
test/lib/y2firewall/widgets/proposal_test.rb | 6 ++
test/test_helper.rb | 2 +-
8 files changed, 69 insertions(+), 36 deletions(-)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index e32e15a7..a65453ba 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -41,34 +41,8 @@ def title
end
def contents
- res = VBox(
- Frame(
- _("Firewall and SSH service"),
- HSquash(
- MarginBox(
- 0.5,
- 0.5,
- VBox(
- Widgets::FirewallSSHProposal.new(@settings)
- )
- )
- )
- )
- )
-
- if @settings.selinux_config.configurable?
- res.params << Frame(
- _("SELinux"),
- MarginBox(
- 0.5,
- 0.5,
- VBox(
- Widgets::SelinuxPolicy.new(@settings)
- )
- )
- )
- end
-
+ res = VBox(firewall_ssh_content)
+ res.params << selinux_content if selinux_configurable?
res
end
@@ -91,6 +65,38 @@ def disable_buttons
protected
+ def selinux_configurable?
+ @settings.selinux_config.configurable?
+ end
+
+ def firewall_ssh_content
+ Frame(
+ _("Firewall and SSH service"),
+ HSquash(
+ MarginBox(
+ 0.5,
+ 0.5,
+ VBox(
+ Widgets::FirewallSSHProposal.new(@settings)
+ )
+ )
+ )
+ )
+ end
+
+ def selinux_content
+ Frame(
+ _("SELinux"),
+ MarginBox(
+ 0.5,
+ 0.5,
+ VBox(
+ Widgets::SelinuxPolicy.new(@settings)
+ )
+ )
+ )
+ end
+
# Hostname of the current system.
#
# Getting the hostname is sometimes a little bit slow, so the value is
diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb
index fc4d9575..5e24b3b5 100644
--- a/src/lib/y2firewall/proposal_settings.rb
+++ b/src/lib/y2firewall/proposal_settings.rb
@@ -40,8 +40,6 @@ class ProposalSettings
attr_accessor :open_vnc
# [String] Name of the default zone where perform the changes
attr_accessor :default_zone
- # [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2,
- # for newer code streams it lives in security_setttings in yast2-installation.
attr_accessor :selinux_config
# Constructor
@@ -58,7 +56,6 @@ def initialize
# FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
# chose a different one in the proposal
@default_zone = "public"
- @selinux_config = Y2Security::SelinuxConfig.new
end
# Load the default values defined in the control file
@@ -127,6 +124,12 @@ def close_vnc!
self.open_vnc = false
end
+ # @return [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2,
+ # for newer code streams it lives in security_setttings in yast2-installation.
+ def selinux_config
+ @selinux_config ||= Y2Security::SelinuxConfig.new
+ end
+
private
def load_feature(feature, to, source: global_section)
diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb
index 7b1b904b..2abb63cb 100644
--- a/test/lib/y2firewall/clients/installation_finish_test.rb
+++ b/test/lib/y2firewall/clients/installation_finish_test.rb
@@ -8,10 +8,12 @@
describe Y2Firewall::Clients::InstallationFinish do
before do
allow_any_instance_of(Y2Firewall::Firewalld::Api).to receive(:running?).and_return(false)
+ allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config)
end
let(:proposal_settings) { Y2Firewall::ProposalSettings.instance }
let(:firewalld) { Y2Firewall::Firewalld.instance }
+ let(:selinux_config) { double("SelinuxConfig", save: true, configurable?: true) }
describe "#title" do
it "returns translated string" do
@@ -33,6 +35,7 @@
allow(proposal_settings).to receive(:enable_sshd).and_return(enable_sshd)
allow(firewalld).to receive(:installed?).and_return(installed)
allow(proposal_settings).to receive(:open_ssh).and_return(false)
+ allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config)
end
it "enables the sshd service if enabled in the proposal" do
@@ -44,6 +47,8 @@
it "saves selinux policy" do
expect(proposal_settings.selinux_config).to receive(:save)
+
+ subject.write
end
context "when firewalld is not installed" do
diff --git a/test/lib/y2firewall/clients/proposal_test.rb b/test/lib/y2firewall/clients/proposal_test.rb
index b25a38cd..14186e20 100644
--- a/test/lib/y2firewall/clients/proposal_test.rb
+++ b/test/lib/y2firewall/clients/proposal_test.rb
@@ -30,6 +30,7 @@
before do
# skip bootloader proposal to avoid build dependency on it
allow(subject).to receive(:cpu_mitigations_proposal)
+ allow(subject).to receive(:selinux_proposal)
end
describe "#initialize" do
diff --git a/test/lib/y2firewall/dialogs/proposal_test.rb b/test/lib/y2firewall/dialogs/proposal_test.rb
index 58da98eb..7aae13e6 100644
--- a/test/lib/y2firewall/dialogs/proposal_test.rb
+++ b/test/lib/y2firewall/dialogs/proposal_test.rb
@@ -29,5 +29,9 @@
subject { described_class.new(settings) }
+ before do
+ allow(subject).to receive(:selinux_configurable?).and_return(false)
+ end
+
include_examples "CWM::Dialog"
end
diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb
index 8c383dbf..c8f329f6 100755
--- a/test/lib/y2firewall/proposal_settings_test.rb
+++ b/test/lib/y2firewall/proposal_settings_test.rb
@@ -54,10 +54,6 @@
described_class.create_instance
end
- it "initializes selinux configuration" do
- expect(subject.selinux_config).to be_a(Y2Security::SelinuxConfig)
- end
-
context "when firewall has been enabled in the control file" do
let(:global_section) { { "enable_firewall" => true, "enable_sshd" => false } }
@@ -110,6 +106,18 @@
end
end
+ describe "#selinux_config" do
+ let(:selinux_config) { double("Y2Security::SelinuxConfig") }
+
+ before do
+ allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config)
+ end
+
+ it "returns a SelinuxConfig object" do
+ expect(subject.selinux_config).to eq(selinux_config)
+ end
+ end
+
describe "#enable_firewall!" do
it "sets firewalld service to be enabled" do
allow(Yast::PackagesProposal).to receive("AddResolvables")
diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb
index 1b617246..f24a3c2f 100644
--- a/test/lib/y2firewall/widgets/proposal_test.rb
+++ b/test/lib/y2firewall/widgets/proposal_test.rb
@@ -334,6 +334,12 @@
describe Y2Firewall::Widgets::SelinuxPolicy do
subject { described_class.new(proposal_settings) }
+ let(:selinux_config) { instance_double("Y2Security::SelinuxConfig", modes: []) }
+
+ before do
+ allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config)
+ end
+
include_examples "CWM::ComboBox"
end
end
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 4ff55464..6496113f 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -35,7 +35,7 @@ def stub_module(name, fake_class = nil)
end
# stub classes from other modules to speed up a build
-stub_module("AutoInstall")
+stub_module("AutoInstall", Class.new { def issues_list; []; end })
# rubocop:disable Style/SingleLineMethods
# rubocop:disable Style/MethodName
stub_module("UsersSimple", Class.new { def self.GetRootPassword; "secret"; end })
From 788f4efa8dfd3dcc0d039755816002e925d1d68d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?=
Date: Thu, 11 Feb 2021 14:57:48 +0000
Subject: [PATCH 11/21] Use Y2Security::Selinux instead of
Y2Security::SelinuxConfig
Because it was renamed in yast2-security 4.2.16. Remove some no longer
needed mocking too.
---
src/lib/y2firewall/proposal_settings.rb | 13 ++++++++-----
.../y2firewall/clients/installation_finish_test.rb | 4 +---
test/lib/y2firewall/proposal_settings_test.rb | 10 ++--------
test/lib/y2firewall/widgets/proposal_test.rb | 10 +++-------
4 files changed, 14 insertions(+), 23 deletions(-)
diff --git a/src/lib/y2firewall/proposal_settings.rb b/src/lib/y2firewall/proposal_settings.rb
index 5e24b3b5..a24c9f72 100644
--- a/src/lib/y2firewall/proposal_settings.rb
+++ b/src/lib/y2firewall/proposal_settings.rb
@@ -22,7 +22,7 @@
require "yast"
Yast.import "UsersSimple"
-require "y2security/selinux_config"
+require "y2security/selinux"
module Y2Firewall
# Class that stores the proposal settings for firewalld during installation.
@@ -40,7 +40,6 @@ class ProposalSettings
attr_accessor :open_vnc
# [String] Name of the default zone where perform the changes
attr_accessor :default_zone
- attr_accessor :selinux_config
# Constructor
def initialize
@@ -124,10 +123,14 @@ def close_vnc!
self.open_vnc = false
end
- # @return [Y2Security::SelinuxConfig] selinux configuration. Only temporary for SLE15 SP2,
- # for newer code streams it lives in security_setttings in yast2-installation.
+ # Returns a SELinux configuration handler
+ #
+ # @note this is here only for SLE-15-SP2 and derivated products. Newer code
+ # streams will have it in the yast2-installation -> security settings
+ #
+ # @return [Y2Security::Selinux] the SELinux config handler
def selinux_config
- @selinux_config ||= Y2Security::SelinuxConfig.new
+ @selinux_config ||= Y2Security::Selinux.new
end
private
diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb
index 2abb63cb..735d2f2b 100644
--- a/test/lib/y2firewall/clients/installation_finish_test.rb
+++ b/test/lib/y2firewall/clients/installation_finish_test.rb
@@ -8,12 +8,10 @@
describe Y2Firewall::Clients::InstallationFinish do
before do
allow_any_instance_of(Y2Firewall::Firewalld::Api).to receive(:running?).and_return(false)
- allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config)
end
let(:proposal_settings) { Y2Firewall::ProposalSettings.instance }
let(:firewalld) { Y2Firewall::Firewalld.instance }
- let(:selinux_config) { double("SelinuxConfig", save: true, configurable?: true) }
describe "#title" do
it "returns translated string" do
@@ -35,7 +33,7 @@
allow(proposal_settings).to receive(:enable_sshd).and_return(enable_sshd)
allow(firewalld).to receive(:installed?).and_return(installed)
allow(proposal_settings).to receive(:open_ssh).and_return(false)
- allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config)
+ allow(proposal_settings.selinux_config).to receive(:save).and_return(true)
end
it "enables the sshd service if enabled in the proposal" do
diff --git a/test/lib/y2firewall/proposal_settings_test.rb b/test/lib/y2firewall/proposal_settings_test.rb
index c8f329f6..5ba70b8b 100755
--- a/test/lib/y2firewall/proposal_settings_test.rb
+++ b/test/lib/y2firewall/proposal_settings_test.rb
@@ -107,14 +107,8 @@
end
describe "#selinux_config" do
- let(:selinux_config) { double("Y2Security::SelinuxConfig") }
-
- before do
- allow(Y2Security::SelinuxConfig).to receive(:new).and_return(selinux_config)
- end
-
- it "returns a SelinuxConfig object" do
- expect(subject.selinux_config).to eq(selinux_config)
+ it "returns a Y2Security::Selinux instance" do
+ expect(subject.selinux_config).to be_a(Y2Security::Selinux)
end
end
diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb
index f24a3c2f..34671769 100644
--- a/test/lib/y2firewall/widgets/proposal_test.rb
+++ b/test/lib/y2firewall/widgets/proposal_test.rb
@@ -30,10 +30,12 @@
end
describe Y2Firewall::Widgets do
+ let(:selinux_config) { instance_double(Y2Security::Selinux, modes: []) }
+
let(:proposal_settings) do
instance_double(
Y2Firewall::ProposalSettings, enable_firewall: true, enable_sshd: true,
- open_ssh: true, open_vnc: true
+ open_ssh: true, open_vnc: true, selinux_config: selinux_config
)
end
@@ -334,12 +336,6 @@
describe Y2Firewall::Widgets::SelinuxPolicy do
subject { described_class.new(proposal_settings) }
- let(:selinux_config) { instance_double("Y2Security::SelinuxConfig", modes: []) }
-
- before do
- allow(proposal_settings).to receive(:selinux_config).and_return(selinux_config)
- end
-
include_examples "CWM::ComboBox"
end
end
From 054cd1774411c488f3d3e3ede40b8396edb5a175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?=
Date: Thu, 11 Feb 2021 15:01:07 +0000
Subject: [PATCH 12/21] Fix Rubocop offenses
---
test/test_helper.rb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 6496113f..841bfb1c 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -35,10 +35,12 @@ def stub_module(name, fake_class = nil)
end
# stub classes from other modules to speed up a build
-stub_module("AutoInstall", Class.new { def issues_list; []; end })
# rubocop:disable Style/SingleLineMethods
# rubocop:disable Style/MethodName
+stub_module("AutoInstall", Class.new { def issues_list; []; end })
stub_module("UsersSimple", Class.new { def self.GetRootPassword; "secret"; end })
+# rubocop:enable Style/SingleLineMethods
+# rubocop:enable Style/MethodName
# some tests have translatable messages
ENV["LANG"] = "en_US.UTF-8"
From 1898baece234255f049b26826bf7cbbcd7cea404 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?=
Date: Thu, 11 Feb 2021 15:03:52 +0000
Subject: [PATCH 13/21] Rename SelinuxPolicy to SelinuxMode
Actually what we are setting is the SELinux mode, not its policies.
---
src/lib/y2firewall/clients/proposal.rb | 2 +-
src/lib/y2firewall/dialogs/proposal.rb | 2 +-
src/lib/y2firewall/widgets/proposal.rb | 6 +++---
test/lib/y2firewall/clients/installation_finish_test.rb | 2 +-
test/lib/y2firewall/widgets/proposal_test.rb | 2 +-
5 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb
index aae84556..a4ecc9d5 100644
--- a/src/lib/y2firewall/clients/proposal.rb
+++ b/src/lib/y2firewall/clients/proposal.rb
@@ -225,7 +225,7 @@ def selinux_proposal
return nil unless @settings.selinux_config.configurable?
_(
- "Selinux Default Policy is %s"
+ "Selinux Default Mode is %s"
) % @settings.selinux_config.mode.to_human_string
end
end
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index a65453ba..f701a798 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -91,7 +91,7 @@ def selinux_content
0.5,
0.5,
VBox(
- Widgets::SelinuxPolicy.new(@settings)
+ Widgets::SelinuxMode.new(@settings)
)
)
)
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index efb4525d..8fe4303f 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -201,8 +201,8 @@ def help
end
end
- # widget to set selinux policy
- class SelinuxPolicy < CWM::ComboBox
+ # Widget to set SELinux mode
+ class SelinuxMode < CWM::ComboBox
def initialize(settings)
textdomain "firewall"
@@ -210,7 +210,7 @@ def initialize(settings)
end
def label
- _("SELinux Policy")
+ _("SELinux Mode")
end
def items
diff --git a/test/lib/y2firewall/clients/installation_finish_test.rb b/test/lib/y2firewall/clients/installation_finish_test.rb
index 735d2f2b..3602ea00 100644
--- a/test/lib/y2firewall/clients/installation_finish_test.rb
+++ b/test/lib/y2firewall/clients/installation_finish_test.rb
@@ -43,7 +43,7 @@
subject.write
end
- it "saves selinux policy" do
+ it "saves selinux config" do
expect(proposal_settings.selinux_config).to receive(:save)
subject.write
diff --git a/test/lib/y2firewall/widgets/proposal_test.rb b/test/lib/y2firewall/widgets/proposal_test.rb
index 34671769..773da7e8 100644
--- a/test/lib/y2firewall/widgets/proposal_test.rb
+++ b/test/lib/y2firewall/widgets/proposal_test.rb
@@ -333,7 +333,7 @@
end
end
- describe Y2Firewall::Widgets::SelinuxPolicy do
+ describe Y2Firewall::Widgets::SelinuxMode do
subject { described_class.new(proposal_settings) }
include_examples "CWM::ComboBox"
From 28a5e4ae385c2e839145000dabcfba3d9a3aebaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?=
Date: Thu, 11 Feb 2021 15:18:48 +0000
Subject: [PATCH 14/21] Update and the proposal dialog
Adding more unit tests to check if Y2Firewall::Widgets::SelinuxMode is
rendered when expected.
---
src/lib/y2firewall/dialogs/proposal.rb | 7 +++--
test/lib/y2firewall/dialogs/proposal_test.rb | 29 ++++++++++++++++++--
2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index f701a798..d414e278 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -41,9 +41,10 @@ def title
end
def contents
- res = VBox(firewall_ssh_content)
- res.params << selinux_content if selinux_configurable?
- res
+ content = [firewall_ssh_content]
+ content << selinux_content if selinux_configurable?
+
+ VBox(*content)
end
def abort_button
diff --git a/test/lib/y2firewall/dialogs/proposal_test.rb b/test/lib/y2firewall/dialogs/proposal_test.rb
index 7aae13e6..9fc792be 100644
--- a/test/lib/y2firewall/dialogs/proposal_test.rb
+++ b/test/lib/y2firewall/dialogs/proposal_test.rb
@@ -25,13 +25,36 @@
require "y2firewall/dialogs/proposal"
describe Y2Firewall::Dialogs::Proposal do
- let(:settings) { instance_double("Y2Firewall::ProposalSettings") }
-
subject { described_class.new(settings) }
+ let(:settings) { instance_double("Y2Firewall::ProposalSettings") }
+ let(:selinux_configurable) { false }
+
before do
- allow(subject).to receive(:selinux_configurable?).and_return(false)
+ allow(subject).to receive(:selinux_configurable?)
+ .and_return(selinux_configurable)
end
include_examples "CWM::Dialog"
+
+ describe "#contents" do
+ let(:widgets) { Yast::CWM.widgets_in_contents([subject.contents]) }
+ let(:selinux_mode_widget) { widgets.find { |w| w.is_a?(Y2Firewall::Widgets::SelinuxMode) } }
+
+ context "when SELinux is set to be configurable" do
+ let(:selinux_configurable) { true }
+
+ it "contains the Y2Firewall::Widgets::SelinuxMode content" do
+ expect(selinux_mode_widget).to_not be_nil
+ end
+ end
+
+ context "when SELinux is set to not be configurable" do
+ let(:selinux_configurable) { false }
+
+ it "does not contain the Y2Firewall::Widgets::SelinuxMode content" do
+ expect(selinux_mode_widget).to be_nil
+ end
+ end
+ end
end
From f5947a5852088732a446244c9f9e5a35fb2c00ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20D=C3=ADaz=20Gonz=C3=A1lez?=
Date: Thu, 11 Feb 2021 15:23:08 +0000
Subject: [PATCH 15/21] Update dependency
---
package/yast2-firewall.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec
index 9a1cd810..2f809b98 100644
--- a/package/yast2-firewall.spec
+++ b/package/yast2-firewall.spec
@@ -29,7 +29,7 @@ Source0: %{name}-%{version}.tar.bz2
BuildRequires: update-desktop-files
BuildRequires: yast2-devtools >= 4.2.2
# for proposing selinux
-BuildRequires: yast2-security >= 4.2.15
+BuildRequires: yast2-security >= 4.2.16
# Removed zone name from common attributes definition
BuildRequires: yast2 >= 4.1.67
BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake)
From 13d72b3fb89b984f3bd385da74b3891c248b05ce Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 11 Feb 2021 20:16:59 +0100
Subject: [PATCH 16/21] implement needed pattern for selinux
---
src/lib/y2firewall/clients/proposal.rb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb
index a4ecc9d5..eebe9bd4 100644
--- a/src/lib/y2firewall/clients/proposal.rb
+++ b/src/lib/y2firewall/clients/proposal.rb
@@ -224,6 +224,10 @@ def sshd_proposal
def selinux_proposal
return nil unless @settings.selinux_config.configurable?
+ # add required patterns
+ Yast.import "PackagesProposal"
+ Yast::PackagesProposal.SetResolvables("SELinux", :pattern, @settings.selinux_config.needed_patterns)
+
_(
"Selinux Default Mode is %s"
) % @settings.selinux_config.mode.to_human_string
From 222cc65d2abc2bbfc014e4b19939f3600cba46ac Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 11 Feb 2021 23:00:23 +0100
Subject: [PATCH 17/21] make rubocop happy
---
src/lib/y2firewall/clients/proposal.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lib/y2firewall/clients/proposal.rb b/src/lib/y2firewall/clients/proposal.rb
index eebe9bd4..d5dd009d 100644
--- a/src/lib/y2firewall/clients/proposal.rb
+++ b/src/lib/y2firewall/clients/proposal.rb
@@ -226,7 +226,8 @@ def selinux_proposal
# add required patterns
Yast.import "PackagesProposal"
- Yast::PackagesProposal.SetResolvables("SELinux", :pattern, @settings.selinux_config.needed_patterns)
+ Yast::PackagesProposal.SetResolvables("SELinux", :pattern,
+ @settings.selinux_config.needed_patterns)
_(
"Selinux Default Mode is %s"
From 310cbb69f704c86df1f5cd3622794cef69b08f0a Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Thu, 11 Feb 2021 23:16:13 +0100
Subject: [PATCH 18/21] try improved layout
---
src/lib/y2firewall/dialogs/proposal.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index d414e278..9c4da500 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -44,7 +44,7 @@ def contents
content = [firewall_ssh_content]
content << selinux_content if selinux_configurable?
- VBox(*content)
+ HVCenter(Left(VBox(*content)))
end
def abort_button
From 369bb15411f2c32a4c0f3db31816e2a94cea5862 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Fri, 12 Feb 2021 09:24:24 +0100
Subject: [PATCH 19/21] another attempt for better layout
---
src/lib/y2firewall/dialogs/proposal.rb | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/lib/y2firewall/dialogs/proposal.rb b/src/lib/y2firewall/dialogs/proposal.rb
index 9c4da500..39c7c472 100644
--- a/src/lib/y2firewall/dialogs/proposal.rb
+++ b/src/lib/y2firewall/dialogs/proposal.rb
@@ -41,10 +41,18 @@ def title
end
def contents
- content = [firewall_ssh_content]
- content << selinux_content if selinux_configurable?
-
- HVCenter(Left(VBox(*content)))
+ content = [Left(firewall_ssh_content)]
+ content << Left(selinux_content) if selinux_configurable?
+
+ HBox(
+ HStretch(),
+ VBox(
+ VStretch(),
+ *content,
+ VStretch()
+ ),
+ HStretch()
+ )
end
def abort_button
From 432e112f72df82f8021974ad37465311d8ec1e91 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Fri, 12 Feb 2021 17:45:17 +0100
Subject: [PATCH 20/21] changes from review and help text
---
package/yast2-firewall.spec | 2 +-
src/lib/y2firewall/widgets/proposal.rb | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/package/yast2-firewall.spec b/package/yast2-firewall.spec
index 2f809b98..aa6ad5c7 100644
--- a/package/yast2-firewall.spec
+++ b/package/yast2-firewall.spec
@@ -29,7 +29,7 @@ Source0: %{name}-%{version}.tar.bz2
BuildRequires: update-desktop-files
BuildRequires: yast2-devtools >= 4.2.2
# for proposing selinux
-BuildRequires: yast2-security >= 4.2.16
+BuildRequires: yast2-security >= 4.2.17
# Removed zone name from common attributes definition
BuildRequires: yast2 >= 4.1.67
BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake)
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 8fe4303f..16c8bb8c 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -210,7 +210,8 @@ def initialize(settings)
end
def label
- _("SELinux Mode")
+ # TRANSLATORS: SELinu Mode just SELinux is already content of frame.
+ _("Mode")
end
def items
@@ -224,6 +225,18 @@ def init
def store
@settings.selinux_config.mode = value
end
+
+ def help
+ _(
+ "Sets default selinux mode. Modes are:
" \
+ "- Enforcing the state that enforces SELinux security policy. "\
+ "Access is denied to users and programs unless permitted by " \
+ "SELinux security policy rules. All denial messages are logged.
"\
+ "Permissive is a diagnostic state. The security policy rules are " \
+ "not enforced, but SELinux sends denial messages to a log file." \
+ "Disabled SELinux does not enforce a security policy.
"
+ )
+ end
end
end
end
From 4c1d0ef2db1f982959124186dbd374d722369773 Mon Sep 17 00:00:00 2001
From: Josef Reidinger
Date: Fri, 12 Feb 2021 18:52:18 +0100
Subject: [PATCH 21/21] Update src/lib/y2firewall/widgets/proposal.rb
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: David Díaz <1691872+dgdavid@users.noreply.github.com>
---
src/lib/y2firewall/widgets/proposal.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/y2firewall/widgets/proposal.rb b/src/lib/y2firewall/widgets/proposal.rb
index 16c8bb8c..efabba8e 100644
--- a/src/lib/y2firewall/widgets/proposal.rb
+++ b/src/lib/y2firewall/widgets/proposal.rb
@@ -228,7 +228,7 @@ def store
def help
_(
- "Sets default selinux mode. Modes are: