Merge pull request #107 from yast/fix-read-selinux-settings-master

Do not set SELinux mode when it is not configurable

package/yast2-security.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar 18 11:43:42 UTC 2021 - David Diaz <dgonzalez@suse.com>
+
+- Do not set SELinux mode when it is not configurable (bsc#1182940)
+- 4.3.16
+
 -------------------------------------------------------------------
 Wed Mar  3 16:09:26 UTC 2021 - David Diaz <dgonzalez@suse.com>
 

package/yast2-security.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-security
-Version:        4.3.15
+Version:        4.3.16
 Release:        0
 Group:          System/YaST
 License:        GPL-2.0-only

src/modules/Security.rb

@@ -375,7 +375,9 @@ def read_kernel_settings
     #
     # @see Y2Security::Selinux
     def read_selinux_settings
-      @Settings["SELINUX_MODE"] = selinux_config.mode.id.to_s
+      return unless selinux.configurable?
+
+      @Settings["SELINUX_MODE"] = selinux.mode.id.to_s
 
       log.debug "SELINUX_MODE (after #{__callee__}): #{@Settings['SELINUX_MODE']}"
     end
@@ -548,8 +550,8 @@ def write_shadow_config
     #
     # @return true on success
     def write_selinux
-      selinux_config.mode = @Settings["SELINUX_MODE"]
-      selinux_config.save
+      selinux.mode = @Settings["SELINUX_MODE"]
+      selinux.save
     end
 
     # Write settings related to PAM behavior
@@ -901,11 +903,11 @@ def default_encrypt_method
 
     # Ensures needed patterns for SELinux, if any, will be installed
     def set_selinux_patterns
-      selinux_config.mode = @Settings["SELINUX_MODE"] unless @Settings["SELINUX_MODE"].to_s.empty?
+      selinux.mode = @Settings["SELINUX_MODE"] unless @Settings["SELINUX_MODE"].to_s.empty?
 
       # Please, keep the unique id synced with the one used in normal installation
       # See https://github.com/yast/yast-installation/blob/7c19909e9700242209645cf12a4daffe1cd54194/src/lib/installation/clients/security_proposal.rb#L244-L247
-      PackagesProposal.SetResolvables("SELinux", :pattern, selinux_config.needed_patterns)
+      PackagesProposal.SetResolvables("SELinux", :pattern, selinux.needed_patterns)
     end
 
     # Sets @missing_mandatory_services honoring the systemd aliases
@@ -981,8 +983,8 @@ def shadow_config
   # Returns a SELinux configuration handler
   #
   # @return [Y2Security::Selinux] the SELinux config handler
-  def selinux_config
-    @selinux_config ||= Y2Security::Selinux.new
+  def selinux
+    @selinux ||= Y2Security::Selinux.new
   end
 
   # Checks if the service is allowed (i.e. not considered 'extra')

test/levels_test.rb

@@ -50,7 +50,7 @@ def apply_level2
         change_scr_root(File.join(DATA_PATH, "system"))
         stub_scr_write
         allow(Package).to receive(:Installed).with("systemd").and_return true
-        allow(Security.selinux_config).to receive(:save)
+        allow(Security.selinux).to receive(:save)
       end
 
       after do

test/security_test.rb

@@ -244,18 +244,18 @@ def enabled?
       let(:requested_mode) { "enforcing" }
 
       before do
-        allow(subject.selinux_config).to receive(:save)
+        allow(subject.selinux).to receive(:save)
         subject.Settings["SELINUX_MODE"] = requested_mode
       end
 
       it "sets the SELinux mode" do
-        expect(subject.selinux_config).to receive(:mode=).with(requested_mode)
+        expect(subject.selinux).to receive(:mode=).with(requested_mode)
 
         subject.write_selinux
       end
 
       it "saves the selinux config" do
-        expect(subject.selinux_config).to receive(:save)
+        expect(subject.selinux).to receive(:save)
 
         subject.write_selinux
       end
@@ -646,23 +646,45 @@ def enabled?
 
     describe "#read_selinux_settings" do
       let(:mode) { double("Y2Security::Selinux::Mode", id: :enforcing) }
+      let(:configurable) { true }
 
       before do
-        allow(subject.selinux_config).to receive(:mode).and_return(mode)
+        allow(subject.selinux).to receive(:mode).and_return(mode)
+        allow(subject.selinux).to receive(:configurable?).and_return(configurable)
       end
 
-      it "reads the selinux mode" do
-        expect(subject.selinux_config).to receive(:mode)
+      context "when SELinux is configurable" do
+        it "reads the selinux mode" do
+          expect(subject.selinux).to receive(:mode)
 
-        subject.read_selinux_settings
+          subject.read_selinux_settings
+        end
+
+        it "sets the SELINUX_MODE setting" do
+          expect(Security.Settings["SELINUX_MODE"]).to eq("")
+
+          Security.read_selinux_settings
+
+          expect(Security.Settings["SELINUX_MODE"]).to eq(mode.id.to_s)
+        end
       end
 
-      it "sets the SELINUX_MODE setting" do
-        expect(Security.Settings["SELINUX_MODE"]).to eq("")
+      context "when SELinux is not configurable" do
+        let(:configurable) { false }
 
-        Security.read_selinux_settings
+        it "does not read the selinux mode" do
+          expect(subject.selinux).to_not receive(:mode)
 
-        expect(Security.Settings["SELINUX_MODE"]).to eq(mode.id.to_s)
+          subject.read_selinux_settings
+        end
+
+        it "does not set the SELINUX_MODE setting" do
+          expect(Security.Settings["SELINUX_MODE"]).to eq("")
+
+          Security.read_selinux_settings
+
+          expect(Security.Settings["SELINUX_MODE"]).to eq("")
+        end
       end
     end
 
@@ -696,7 +718,7 @@ def enabled?
         Security.Settings["SYS_UID_MIN"] = 200
         Security.Settings["SYS_GID_MIN"] = 200
 
-        allow(subject.selinux_config).to receive(:needed_patterns).and_return(selinux_patterns)
+        allow(subject.selinux).to receive(:needed_patterns).and_return(selinux_patterns)
       end
 
       it "doest not touch current Settings if given settings are empty" do