autopatch/scap-security-guide
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix product=="rhel10" equality gates for almalinux10; enable auto_increment

Browse Source 
Step 5 only rewrote the list-membership form (product in [...,"rhel10"]),
so the 7 shared rules using the equality form (product == "rhel10") fell
through to the generic else branch for almalinux10. Most visibly,
configure_custom_crypto_policy_cis emitted DEFAULT:NO-SHA1, but the NO-SHA1
subpolicy module was dropped from crypto-policies on EL10, so
'update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC' failed. Now
almalinux10 follows the rhel10 branch (DEFAULT + self-created modules).

Also set auto_increment on the .alma.1 release suffix.
This commit is contained in:
Andrew Lukoshko 2026-06-09 17:59:44 +02:00
parent b89a9c615f
commit c2670e5d11
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config.yaml
View File

@ -37,6 +37,7 @@ actions:
- modify_release:
- suffix: ".alma.1"
enabled: true
auto_increment: true
- changelog_entry:
- name: "Andrew Lukoshko"

11
files/add-almalinux10-support.sh
View File

@ -36,9 +36,20 @@ find ./shared -type f -exec sed -i \
-e 's|<platform>multi_platform_rhel</platform>|<platform>multi_platform_rhel</platform>\n<platform>multi_platform_almalinux</platform>|g' {} \;
# 5. Improve Ansible support in conditionals
# Two product-gating idioms are used in the shared rule templates:
# - list membership: {% if product in [..., "rhel10"] %}
# - equality: {% if product == "rhel10" %}
# The list form is rewritten below. The equality form is NOT a substring of
# the list form, so it must be handled separately, otherwise almalinux10
# silently falls through to the generic `else` branch of those rules (e.g.
# configure_custom_crypto_policy_cis emits DEFAULT:NO-SHA1, a module dropped
# from crypto-policies on EL10, breaking `update-crypto-policies --set`).
find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
-e '/if product in/ s/"rhel10"/"rhel10", "almalinux10"/g' {} \;
find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \
-e 's/product == (["'\''])rhel10\1/(product == \1rhel10\1 or product == \1almalinux10\1)/g' {} \;
# 6. Add AlmaLinux 10 constants
sed -i \
-e 's/ALMALINUX9/ALMALINUX10/g' \