Merge 6cfdfe2 into f64b5df

package/yast2-security.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jan 26 14:01:57 UTC 2022 - Knut Alejandro Anderssen González <kanderssen@suse.com>
+
+Related to jsc#SLE-22069:
+  - AutoYaST LSM: only allow to select the desired LSM and the
+    SELinux mode.
+- 4.4.10
+
 -------------------------------------------------------------------
 Tue Jan 25 15:43:01 UTC 2022 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
 

package/yast2-security.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-security
-Version:        4.4.9
+Version:        4.4.10
 Release:        0
 Group:          System/YaST
 License:        GPL-2.0-only

src/autoyast-rnc/security.rnc

@@ -9,7 +9,9 @@ cwd_in_user_path = element cwd_in_user_path { STRING }
 disable_restart_on_update = element disable_restart_on_update { STRING }
 disable_stop_on_removal = element disable_stop_on_removal { STRING }
 extra_services = element extra_services { STRING }
-selinux_mode = element selinux_mode { STRING }
+selinux_mode = element selinux_mode { "permissive" | "enforcing" | "disabled" }
+# Major Linux Security Module to be activated after installation
+lsm_select = element lsm_select { "apparmor" | "selinux" | "none" }
 displaymanager_remote_access = element displaymanager_remote_access { STRING }
 displaymanager_root_login_remote = element displaymanager_root_login_remote { STRING }
 displaymanager_shutdown = element displaymanager_shutdown { STRING }
@@ -74,6 +76,7 @@ y2_security =
   | disable_stop_on_removal
   | extra_services
   | selinux_mode
+  | lsm_select
   | displaymanager_remote_access
   | displaymanager_root_login_remote
   | displaymanager_xserver_tcp_port_6000_open
@@ -127,45 +130,4 @@ y2_security =
   | sec_ip_forward
   | displaymanager_shutdown
   | passwd_remember_history
-  | lsm
 security = element security { MAP, y2_security* }
-
-## Whether the module can be proposed/configured during installation
-lsm_configurable = element configurable  { BOOLEAN }
-## Whether the module can be selected during installation
-lsm_selectable = element selectable  { BOOLEAN }
-## Space-separated list of required/suggested patterns for the selected module
-lsm_patterns =  element patterns { text }
-
-lsm = element lsm { MAP,
-  (
-    lsm_select? &
-    lsm_configurable? &
-    lsm_selectable? &
-    none? &
-    selinux? &
-    apparmor?
-  )
-}
-
-# Linux Security Major Module to be activated after installation
-lsm_select = element select { "apparmor" | "selinux" | "none" }
-lsm_module =
-  lsm_configurable
-  | lsm_selectable
-  | lsm_patterns
-
-none = element none { MAP,
-  lsm_selectable?
-}
-
-apparmor = element apparmor { MAP,
-  lsm_module*
-}
-
-selinux = element selinux { MAP,
-  (
-    lsm_module*
-    | element mode { STRING }?
-  )*
-}

src/lib/y2security/autoinst/lsm_config_reader.rb

@@ -18,55 +18,46 @@
 # find current contact information at www.suse.com.
 
 require "y2security/lsm/config"
-require "y2security/autoinst_profile"
+require "y2security/autoinst_profile/security_section"
 
 module Y2Security
   module Autoinst
     # This class is responsible of reading the Linux Security Module configuration declared in
     # the AutoYaST profile
     class LSMConfigReader
-      # @return [AutoinstProfile::LSMSection]
+      # @return [AutoinstProfile::SecuritySection]
       attr_reader :section
-      # @return [AutoinstProfile::SelinuxSection, AutoinstProfile::ApparmorSection, nil]
-      attr_reader :module_section
-
       # Constructor
       #
-      # @param section [AutoinstProfile::LSMSection]
+      # @param section [AutoinstProfile::SecuritySection]
       def initialize(section)
         @section = section
       end
 
       # Reads the Linux Security Module configuration defined in the profile modifying it
       # accordingly
       def read
-        return unless section
+        return unless section.lsm_select || section.selinux_mode
 
-        config.configurable = section.configurable
-        config.select(section.select) if section.select
-        configure_supported_modules
+        select_module
+        configure_selinux if selinux?
       end
 
     private
 
-      def configure_supported_modules
-        [:selinux, :apparmor, :none].each do |id|
-          lsm_module = config.public_send(id)
-          @module_section = section.public_send(id)
-          next unless module_section
+      def selinux?
+        return true if section.lsm_select == "selinux"
 
-          assign(lsm_module, :mode) if id == :selinux
-          assign(lsm_module, :selectable)
-          next if id == :none
+        !section.lsm_select && section.selinux_mode
+      end
 
-          assign(lsm_module, :configurable)
-          assign(lsm_module, :patterns)
-        end
+      def configure_selinux
+        config.selinux.mode = section.selinux_mode
       end
 
-      def assign(lsm_module, option)
-        value = module_section.public_send(option)
-        lsm_module.public_send("#{option}=", value) unless value.nil?
+      def select_module
+        selected = selinux? ? "selinux" : section.lsm_select
+        config.select(selected)
       end
 
       def config

src/lib/y2security/autoinst_profile.rb

@@ -18,6 +18,3 @@
 # find current contact information at www.suse.com.
 
 require "y2security/autoinst_profile/security_section"
-require "y2security/autoinst_profile/lsm_section"
-require "y2security/autoinst_profile/selinux_section"
-require "y2security/autoinst_profile/apparmor_section"

src/lib/y2security/autoinst_profile/security_section.rb

@@ -18,53 +18,31 @@
 # find current contact information at www.suse.com.
 
 require "installation/autoinst_profile/section_with_attributes"
-require "y2security/autoinst_profile/lsm_section"
 
 module Y2Security
   module AutoinstProfile
     # This class represents an AutoYaST <security> section although by now it only handles
     # LSM related attributes
     #
     # <security>
-    #   <!-- <selinux_mode></selinux_mode> # Deprecated -->
-    #   <lsm>
-    #     <apparmor>
-    #       <selectable config:type="boolean">false</selectable>
-    #     </apparmor>
-    #     <selinux>
-    #       <mode>permissive</mode>
-    #       <configurable config:type="boolean">true</configurable>
-    #       <patterns>selinux</patterns>
-    #     </selinux>
-    #   </lsm>
+    #   <selinux_mode>enforcing</selinux_mode>
+    #   <lsm_select>selinux</lsm_select>
     # </security>
     class SecuritySection < ::Installation::AutoinstProfile::SectionWithAttributes
       def self.attributes
         [
-          { name: :selinux_mode }, # Deprecated
-          { name: :lsm }
+          { name: :selinux_mode },
+          { name: :lsm_select }
         ]
       end
 
       define_attr_accessors
 
       # @!attribute selinux_mode
       #   @return [String] SELinux mode to be used
-      #   @deprecated
-      #
-      # @!attribute lsm
-      #   @return [LSMSection]
-
-      def init_from_hashes(hash)
-        super
-
-        # backward compatible with option 'selinux_mode'
-        hash["lsm"] ||= { "select" => "selinux", "selinux" => { "mode" => @selinux_mode } } if @selinux_mode
-
-        @lsm = LSMSection.new_from_hashes(hash["lsm"], self) if hash["lsm"]
-
-        nil
-      end
+      # @!attribute lsm_select
+      #   @return [String] Major Linux Security Module to be used.
+      #     Possible values: apparmor, selinux, none
     end
   end
 end