Merge remote-tracking branch 'origin/SLE-15-SP2'

yast · Feb 16, 2021 · e0abf8a · e0abf8a
2 parents 7608de3 + 0ad18aa
commit e0abf8a
Show file tree

Hide file tree

Showing 14 changed files with 1,332 additions and 15 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,2 @@
+FROM registry.opensuse.org/yast/sle-15/sp2/containers/yast-ruby
+COPY . /usr/src/app
diff --git a/Rakefile b/Rakefile
@@ -1,5 +1,7 @@
 require "yast/rake"
 
+Yast::Tasks.submit_to :sle15sp2
+
 Yast::Tasks.configuration do |conf|
   # lets ignore license check for now
   conf.skip_license_check << /.*/

diff --git a/package/yast2-security.changes b/package/yast2-security.changes
@@ -1,4 +1,5 @@
 -------------------------------------------------------------------
+
 Mon Feb 15 11:35:59 UTC 2021 - Josef Reidinger <jreidinger@suse.com>
 
 - Adapted unit test to recent changes in Yast::Report (related to

diff --git a/package/yast2-security.spec b/package/yast2-security.spec
@@ -33,10 +33,14 @@ BuildRequires:  update-desktop-files
 # Pam.List
 BuildRequires:  yast2-pam >= 4.3.1
 BuildRequires:  yast2-devtools >= 4.2.2
+# Y2Security::Selinux requires Yast::Bootloader
+BuildRequires:  yast2-bootloader
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:rspec)
 # CFA::SysctlConfig
 BuildRequires:  yast2 >= 4.2.66
+# CFA::Selinux
+BuildRequires:  augeas-lenses
 # Unfortunately we cannot move this to macros.yast,
 # bcond within macros are ignored by osc/OBS.
 %bcond_with yast_run_ci_tests
@@ -51,6 +55,10 @@ Requires:       yast2 >= 4.2.66
 Requires:       yast2-ruby-bindings >= 1.0.0
 # Pam.List
 Requires:       yast2-pam >= 4.3.1
+# Y2Security::Selinux requires Yast::Bootloader
+Requires:       yast2-bootloader
+# CFA::Selinux
+Requires:       augeas-lenses
 
 Provides:       y2c_sec yast2-config-security
 Provides:       yast2-trans-security y2t_sec

diff --git a/src/autoyast-rnc/security.rnc b/src/autoyast-rnc/security.rnc
@@ -9,6 +9,7 @@ cwd_in_user_path = element cwd_in_user_path { STRING }
 disable_restart_on_update = element disable_restart_on_update { STRING }
 disable_stop_on_removal = element disable_stop_on_removal { STRING }
 extra_services = element extra_services { STRING }
+selinux_mode = element selinux_mode { STRING }
 displaymanager_remote_access = element displaymanager_remote_access { STRING }
 displaymanager_root_login_remote = element displaymanager_root_login_remote { STRING }
 displaymanager_shutdown = element displaymanager_shutdown { STRING }
@@ -72,6 +73,7 @@ y2_security =
   | disable_restart_on_update
   | disable_stop_on_removal
   | extra_services
+  | selinux_mode
   | displaymanager_remote_access
   | displaymanager_root_login_remote
   | displaymanager_xserver_tcp_port_6000_open

diff --git a/src/clients/security_auto.rb b/src/clients/security_auto.rb
@@ -30,6 +30,8 @@
 # goes through the configuration and return the setting.
 # Does not do any changes to the configuration.
 
+require "y2security/selinux"
+
 # @param function to execute
 # @param map/list of security settings
 # @return [Hash] edited settings, Summary or boolean on success depending on called function
@@ -47,6 +49,7 @@ def main
 
       Yast.import "Map"
       Yast.import "Security"
+      Yast.import "AutoInstall"
 
       Yast.include self, "security/routines.rb"
       Yast.include self, "security/wizards.rb"
@@ -80,6 +83,23 @@ def main
         @ret = SecurityAutoSequence()
       # Import Data
       elsif @func == "Import"
+
+        #Checking value semantic
+        if @param.has_key?("selinux_mode")
+          selinux_values = Y2Security::Selinux.new.modes.map {|m| m.id.to_s}
+          if !selinux_values.include?(@param["selinux_mode"])
+            Yast::AutoInstall.issues_list.add(
+              :invalid_value,
+              "security",
+              "selinux_mode",
+              @param["selinux_mode"],
+              _("Wrong SELinux mode. Possible values: ") +
+              selinux_values.join(", "),
+              :warn
+            )
+          end
+        end
+
         # Compat
         if Builtins.haskey(@param, "encryption")
           Ops.set(

diff --git a/src/lib/cfa/selinux.rb b/src/lib/cfa/selinux.rb
@@ -0,0 +1,94 @@
+# Copyright (c) [2021] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+require "cfa/base_model"
+require "yast2/target_file"
+
+module CFA
+  # CFA based class to handle the SELinux configuration file
+  #
+  # @example Reading a value
+  #   file = CFA::Selinux.new
+  #   file.load
+  #   file.selinux #=> "enforcing"
+  #
+  # @example Writing a value
+  #   file = CFA::Selinux.new
+  #   file.selinux = "permissive"
+  #   file.save
+  #
+  # @example Loading shortcut
+  #   file = CFA::Selinux.load
+  #   file.selinux #=> "enforcing"
+  class Selinux < BaseModel
+    extend Yast::Logger
+    include Yast::Logger
+
+    attributes(
+      selinux: "SELINUX"
+    )
+
+    # Instantiates and loads a file when possible
+    #
+    # This method is basically a shortcut to instantiate and load the content in just one call.
+    #
+    # @param file_handler [#read,#write] something able to read/write a string (like File)
+    # @param file_path    [String] File path
+    # @return [Selinux] File with the already loaded content
+    def self.load(file_handler: Yast::TargetFile, file_path: PATH)
+      file = new(file_path: file_path, file_handler: file_handler)
+      file.tap(&:load)
+    rescue Errno::ENOENT
+      log.info("#{file_path} couldn't be loaded. Probably the file does not exist yet.")
+
+      file
+    end
+
+    # Constructor
+    #
+    # @param file_handler [#read,#write] something able to read/write a string (like File)
+    # @param file_path    [String] File path
+    #
+    # @see CFA::BaseModel#initialize
+    def initialize(file_handler: Yast::TargetFile, file_path: PATH)
+      super(AugeasParser.new(LENS), file_path, file_handler: file_handler)
+    end
+
+    def save
+      super
+    rescue Errno::EACCES
+      log.info("Permission denied when writting to #{@file_path}")
+      false
+    end
+
+    private
+
+    # Default path to the SELinux config file
+    PATH = "/etc/selinux/config".freeze
+    private_constant :PATH
+
+    # The lens to be used by Augeas parser
+    #
+    # @note uses the simplevars lens instead of semanage because the latest is only available from
+    #   augeas-lenses >= 1.12. See https://github.com/hercules-team/augeas/pull/594/files
+    LENS = "simplevars.lns".freeze
+    private_constant :LENS
+  end
+end