Sync with selinux implementation for SP2

src/lib/installation/dialogs/security.rb

@@ -44,43 +44,24 @@ def contents
         # lazy require to avoid build dependency on bootloader
         require "bootloader/grub2_widgets"
 
-        VBox(
-          Frame(
-            _("Firewall and SSH service"),
-            HSquash(
-              MarginBox(
-                0.5,
-                0.5,
-                VBox(
-                  Y2Firewall::Widgets::FirewallSSHProposal.new(@settings)
-                )
-              )
-            )
-          ),
-          Frame(
-            _("PolicyKit"),
-            MarginBox(
-              0.5,
-              0.5,
-              PolkitDefaultPriv.new(@settings)
-            )
+        left_col = [firewall_frame, polkit_frame]
+        right_col = [cpu_frame]
+        right_col << selinux_frame if selinux_configurable?
+
+        HBox(
+          HStretch(),
+          VBox(
+            VStretch(),
+            *left_col,
+            VStretch()
           ),
-          Frame(
-            _("CPU"),
-            MarginBox(
-              0.5,
-              0.5,
-              ::Bootloader::Grub2Widget::CpuMitigationsWidget.new
-            )
+          HStretch(),
+          VBox(
+            VStretch(),
+            *right_col,
+            VStretch()
           ),
-          Frame(
-            _("SELinux"),
-            MarginBox(
-              0.5,
-              0.5,
-              Widgets::SelinuxPolicy.new(@settings)
-            )
-          )
+          HStretch()
         )
       end
 
@@ -116,6 +97,51 @@ def hostname
       def should_open_dialog?
         true
       end
+
+      def selinux_configurable?
+        @settings.selinux_config.configurable?
+      end
+
+      def firewall_frame
+        frame(
+            _("Firewall and SSH service"),
+            Y2Firewall::Widgets::FirewallSSHProposal.new(@settings)
+          )
+      end
+
+      def polkit_frame
+        frame(
+            _("PolicyKit),
+            PolkitDefaultPriv.new(@settings)
+          )
+      end
+
+      def cpu_frame
+        frame(
+            _("CPU),
+::Bootloader::Grub2Widget::CpuMitigationsWidget.new)
+          )
+      end
+
+      def selinux_frame
+        frame(
+          _("SELinux"),
+          Widgets::SelinuxPolicy.new(@settings)
+        )
+      end
+
+      def frame(label, widget)
+Left(Frame(
+            label,
+            HSquash(
+              MarginBox(
+                0.5,
+                0.5,
+                widget
+              )
+            )
+          ))
+      end
     end
 
     class PolkitDefaultPriv < CWM::ComboBox

src/lib/installation/widgets/selinux_policy.rb

@@ -22,6 +22,7 @@
 
 module Installation
   module Widgets
+    # Widget to set SELinux mode
     class SelinuxPolicy < CWM::ComboBox
       def initialize(settings)
         textdomain "installation"
@@ -30,19 +31,33 @@ def initialize(settings)
       end
 
       def label
-        _("SELinux Policy")
+        # TRANSLATORS: SELinu Mode just SELinux is already content of frame.
+        _("Mode")
       end
 
       def items
-        # TODO:
-        []
+        @settings.selinux_config.modes.map { |m| [m.id, m.to_human_string] }
       end
 
       def init
-        # TODO:
+        self.value = @settings.selinux_config.mode.id
       end
 
       def store
-        # TODO:
+        @settings.selinux_config.mode = value
+      end
+
+      def help
+        _(
+          "<p>Sets default SELinux mode. Modes are: <ul>" \
+          "<li><b>Enforcing</b> the state that enforces SELinux security policy. "\
+          "Access is denied to users and programs unless permitted by " \
+          "SELinux security policy rules. All denial messages are logged.</li> "\
+          "<b>Permissive</b> is a diagnostic state. The security policy rules are " \
+          "not enforced, but SELinux sends denial messages to a log file.</li>" \
+          "<b>Disabled</b> SELinux does not enforce a security policy.</li></ul></p>"
+        )
       end
     end
+  end
+end