import oscap-anaconda-addon-1.2.1-4.el8

This commit is contained in:
CentOS Sources 2021-11-09 05:01:11 -05:00 committed by Stepan Oksanichenko
parent 13c62bbafe
commit ae8c79d536
12 changed files with 526 additions and 6083 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/oscap-anaconda-addon-1.1.1.tar.gz
SOURCES/oscap-anaconda-addon-1.2.1.tar.gz

View File

@ -1 +1 @@
789fbf8b6c8618619fb484a635c29d638202d015 SOURCES/oscap-anaconda-addon-1.1.1.tar.gz
9ddad97065dcdcaa475051ad576cd9f2e9a5a2cc SOURCES/oscap-anaconda-addon-1.2.1.tar.gz

File diff suppressed because it is too large Load Diff

View File

@ -1,25 +0,0 @@
From 316d1fdd46e962c2eca32dde8b6d391286bd3d28 Mon Sep 17 00:00:00 2001
From: Masahiro Matsuya <mmatsuya@redhat.com>
Date: Fri, 7 Aug 2020 15:50:05 +0900
Subject: [PATCH] avoiding UnicodeDecodeError in decode(). Output more errors
which starts with E: oscap
---
org_fedora_oscap/common.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index 9b4b7bf..45ce727 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -136,8 +136,9 @@ def execute(self, ** kwargs):
(stdout, stderr) = proc.communicate()
self.stdout = stdout.decode()
- self.stderr = stderr.decode()
+ self.stderr = stderr.decode(errors="replace")
self.messages = re.findall(r'OpenSCAP Error:.*', self.stderr)
+ self.messages = self.messages + re.findall(r'E: oscap:.*', self.stderr)
self.returncode = proc.returncode

View File

@ -1,101 +0,0 @@
From 2646bb88746aa7b1abc715b40fa0a07a865d9576 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 17 Jun 2020 14:30:52 +0200
Subject: [PATCH 1/3] Improve handling of languages.
- fix the Makefile so translations are copied to the right directory in the image
- allow generation of update image with or without translations
- regenerate the create_update_image script with latest argbash
---
Makefile | 6 ++-
create_update_image.sh | 86 ++++++++++++++++++++++++++++--------------
2 files changed, 63 insertions(+), 29 deletions(-)
diff --git a/Makefile b/Makefile
index 2c2059c..dc8e9a0 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,8 @@ ADDON = org_fedora_oscap
TESTS = tests \
testing_files
+DEFAULT_INSTALL_OF_PO_FILES ?= yes
+
OSVERSION := $(shell grep -o " [0-9]\{1,\}" /etc/redhat-release | sed "s/ //g")
ifeq ($(OSVERSION),7)
PYVERSION = ""
@@ -37,7 +39,9 @@ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
install:
mkdir -p $(DESTDIR)$(ADDONDIR)
cp -rv $(ADDON) $(DESTDIR)$(ADDONDIR)
+ifeq ($(DEFAULT_INSTALL_OF_PO_FILES),yes)
$(MAKE) install-po-files
+endif
uninstall:
rm -rfv $(DESTDIR)$(ADDONDIR)
@@ -78,7 +82,7 @@ push-pot: potfile
zanata push $(ZANATA_PUSH_ARGS)
install-po-files:
- $(MAKE) -C po install
+ $(MAKE) -C po install RPM_BUILD_ROOT=$(DESTDIR)
test:
@echo "***Running pylint$(PYVERSION) checks***"
From 7434500bcd94c2c53d61c84a7364493372f7e053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 17 Jun 2020 14:32:25 +0200
Subject: [PATCH 2/3] Dont use capital letters for the spoke title.
---
org_fedora_oscap/gui/spokes/oscap.glade | 2 +-
po/oscap-anaconda-addon.pot | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade
index e9e2fc0..e8516c0 100644
--- a/org_fedora_oscap/gui/spokes/oscap.glade
+++ b/org_fedora_oscap/gui/spokes/oscap.glade
@@ -37,7 +37,7 @@
<property name="can_focus">False</property>
<property name="hexpand">True</property>
<property name="vexpand">True</property>
- <property name="window_name" translatable="yes">SECURITY POLICY</property>
+ <property name="window_name" translatable="yes">Security Policy</property>
<signal name="button-clicked" handler="on_back_clicked" swapped="no"/>
<child internal-child="main_box">
<object class="GtkBox" id="AnacondaSpokeWindow-main_box1">
From 00c3dd557881def88c2898fa6ced17dddfef5213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 18 Jun 2020 15:12:40 +0200
Subject: [PATCH 3/3] Changed URI back to URL in order not to mess with
translations.
The PR #112 marked this string as translatable, and changed it in the process.
However, the string is already present elsewhere in the source code, so this move
messed things up for translators.
This change reverts the URL->URI change, and leaves the GUI string "translatable",
as there is no way how to record the reason for this decision, so the situation doesn't repeat again.
As a result, it is now the job of the translation framework
to deal with the duplication gracefully.
---
org_fedora_oscap/gui/spokes/oscap.glade | 2 +-
po/oscap-anaconda-addon.pot | 9 ++-------
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade
index e8516c0..1adcfcf 100644
--- a/org_fedora_oscap/gui/spokes/oscap.glade
+++ b/org_fedora_oscap/gui/spokes/oscap.glade
@@ -446,7 +446,7 @@
<object class="GtkLabel" id="noContentLabel">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label" translatable="yes">No content found. Please enter data stream content or archive URI below:</property>
+ <property name="label" translatable="yes">No content found. Please enter data stream content or archive URL below:</property>
<property name="wrap">True</property>
<property name="xalign">0</property>
</object>

View File

@ -1,41 +0,0 @@
From 943b2570c3196aec12a46d5b0e261f026ace0e86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 9 Jul 2020 17:15:11 +0200
Subject: [PATCH] Changed the spoke label back to uppercase.
The spoke title which is defined in the Python code and visible in the hub
should have capitalization that respects the local language convention.
However, the much less visible spoke label that is defined in the glade file
should be uppercase, and so should be translations.
---
org_fedora_oscap/gui/spokes/oscap.glade | 2 +-
org_fedora_oscap/gui/spokes/oscap.py | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade
index 1adcfcf..1fd2664 100644
--- a/org_fedora_oscap/gui/spokes/oscap.glade
+++ b/org_fedora_oscap/gui/spokes/oscap.glade
@@ -37,7 +37,7 @@
<property name="can_focus">False</property>
<property name="hexpand">True</property>
<property name="vexpand">True</property>
- <property name="window_name" translatable="yes">Security Policy</property>
+ <property name="window_name" translatable="yes">SECURITY POLICY</property>
<signal name="button-clicked" handler="on_back_clicked" swapped="no"/>
<child internal-child="main_box">
<object class="GtkBox" id="AnacondaSpokeWindow-main_box1">
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index f21f7d3..b9fcd31 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -196,6 +196,9 @@ class OSCAPSpoke(NormalSpoke):
# title of the spoke (will be displayed on the hub)
title = N_("_Security Policy")
+ # The string "SECURITY POLICY" in oscap.glade is meant to be uppercase,
+ # as it is displayed inside the spoke as the spoke label,
+ # and spoke labels are all uppercase by a convention.
# methods defined by API and helper methods #
def __init__(self, data, storage, payload):

View File

@ -1,25 +0,0 @@
From 9e514460c584666308967d611b26ea2927ea0535 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 18 Jun 2020 11:28:15 +0200
Subject: [PATCH] Added nfs-utils as an essential package for GUI envs.
---
org_fedora_oscap/rule_handling.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 3728f89..6a3a04e 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -43,7 +43,10 @@
ESSENTIAL_PACKAGES = {
"xorg-x11-server-common": {
"env": ["graphical-server-environment", "workstation-product-environment"],
- }
+ },
+ "nfs-utils": {
+ "env": ["graphical-server-environment", "workstation-product-environment"],
+ },
}
log = logging.getLogger("anaconda")

View File

@ -1,82 +0,0 @@
From 6c285154723f618675c3a216ce84b480d770c10d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 9 Jun 2020 16:56:32 +0200
Subject: [PATCH 1/2] Address incompatible profiles and software selections.
This change introduces a mechanism that allows to vet packages marked for removal.
Such package can now have a record in the ESSENTIAL_PACKAGES dict,
that define whether the package is essential => cant be removed
based on the environment and groups selected in the Software Selection Anaconda spoke.
In case when one first selects the profile and then changes the Software Selection
to an incompatible setting, the Selection spoke will raise an error, as it already
tries to apply the blacklist with its environment/groups.
---
org_fedora_oscap/rule_handling.py | 38 +++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index cd67822..3728f89 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -40,6 +40,12 @@
__all__ = ["RuleData"]
+ESSENTIAL_PACKAGES = {
+ "xorg-x11-server-common": {
+ "env": ["graphical-server-environment", "workstation-product-environment"],
+ }
+}
+
log = logging.getLogger("anaconda")
_ = common._
@@ -627,6 +633,20 @@ def __str__(self):
return ret
+ def _package_is_essential(self, package_name, ksdata_packages):
+ if package_name not in ESSENTIAL_PACKAGES:
+ return False
+ if package_name in ksdata_packages.packageList:
+ return True
+ selected_install_env = ksdata_packages.environment
+ if selected_install_env in ESSENTIAL_PACKAGES[package_name].get("env"):
+ return True
+ selected_install_groups_names = {g.name for g in ksdata_packages.groupList}
+ for g in ESSENTIAL_PACKAGES[package_name].get("groups", []):
+ if g in selected_install_groups_names:
+ return True
+ return False
+
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
@@ -655,13 +675,21 @@ def eval_rules(self, ksdata, storage, report_only=False):
common.MESSAGE_TYPE_INFO, msg))
# now do the same for the packages that should be excluded
-
# add messages for the already excluded packages
for pkg in self._removed_pkgs:
- msg = _("package '%s' has been added to the list of excluded "
- "packages" % pkg)
- messages.append(RuleMessage(self.__class__,
- common.MESSAGE_TYPE_INFO, msg))
+ if self._package_is_essential(pkg, ksdata.packages):
+ msg = _(
+ "package '{package}' has been added to the list "
+ "of excluded packages, but it can't be removed "
+ "from the current software selection without breaking the installation."
+ .format(package=pkg))
+ messages.append(RuleMessage(self.__class__,
+ common.MESSAGE_TYPE_FATAL, msg))
+ else:
+ msg = _("package '%s' has been added to the list of excluded "
+ "packages" % pkg)
+ messages.append(RuleMessage(self.__class__,
+ common.MESSAGE_TYPE_INFO, msg))
# packages, that should be added
packages_to_remove = (pkg for pkg in self._remove_pkgs

View File

@ -1,50 +0,0 @@
From 1de759e8bcf1caddddfdda59496473ed9b525365 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 4 Nov 2020 17:48:35 +0100
Subject: [PATCH] Expanded group data to detect more package collisions.
This should cover RHEL8 OSPP and CIS profiles.
---
org_fedora_oscap/rule_handling.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 6a3a04e..80d86c7 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -40,12 +40,26 @@
__all__ = ["RuleData"]
+# Mapping of packages to package environments and/or groups that depends on them
+# See also https://access.redhat.com/solutions/1201413 how to get group IDs.
+# on RHEL8, use e.g. grep -R "<id>" /var/cache/dnf/*
ESSENTIAL_PACKAGES = {
"xorg-x11-server-common": {
"env": ["graphical-server-environment", "workstation-product-environment"],
+ "groups": ["workstation-product-environment"],
},
"nfs-utils": {
"env": ["graphical-server-environment", "workstation-product-environment"],
+ "groups": ["workstation-product-environment"],
+ },
+ "tftp": {
+ "groups": ["network-server"],
+ },
+ "abrt": {
+ "groups": ["debugging"],
+ },
+ "gssproxy": {
+ "groups": ["file-server"],
},
}
@@ -642,7 +656,7 @@ def _package_is_essential(self, package_name, ksdata_packages):
if package_name in ksdata_packages.packageList:
return True
selected_install_env = ksdata_packages.environment
- if selected_install_env in ESSENTIAL_PACKAGES[package_name].get("env"):
+ if selected_install_env in ESSENTIAL_PACKAGES[package_name].get("env", []):
return True
selected_install_groups_names = {g.name for g in ksdata_packages.groupList}
for g in ESSENTIAL_PACKAGES[package_name].get("groups", []):

View File

@ -0,0 +1,39 @@
From 1abc4e96638e819d3fbee74396b36a6ccaf0ab29 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989441
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

View File

@ -0,0 +1,51 @@
From 3377a914f4668af3d72216468ae192bc300890f9 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:45:58 +0200
Subject: [PATCH 1/2] Fix archive handling in GUI installs
GUI downloads an archive, so the ensuing installation doesn't have to.
However, the installation has to be able to discover files recovered
from the archive.
The fix makes sure that files are discovered also in subdirectories.
---
org_fedora_oscap/content_discovery.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index f6b4d27..5fc7343 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -196,7 +196,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase
From 191df327e3e51f486fb655e97acac30222c264fa Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:48:50 +0200
Subject: [PATCH 2/2] Improve logging
Logs written to log files can contain specific details.
---
org_fedora_oscap/ks/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index d1b8c9e..65d74cf 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -393,7 +393,7 @@ def _terminate(self, message):
time.sleep(100000)
def _handle_error(self, exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error(f"Failed to fetch and initialize SCAP content: {str(exception)}")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")

View File

@ -2,8 +2,8 @@
%global _default_patch_flags --no-backup-if-mismatch
Name: oscap-anaconda-addon
Version: 1.1.1
Release: 7%{?dist}
Version: 1.2.1
Release: 4%{?dist}
Summary: Anaconda addon integrating OpenSCAP to the installation process
License: GPLv2+
@ -19,12 +19,8 @@ Source0: %{name}-%{version}.tar.gz
# Let the Patch1 be reserved for translations patches
Patch1: lang.patch
Patch2: oaa-1.2_warn-xorg.patch
Patch3: oaa-1.2_warn-nfs-utils.patch
Patch4: oaa-1.2_lang-streamline.patch
Patch5: oaa-1.2_spoke-window_PR122.patch
Patch6: oaa-1.2-unicode_issues_PR124.patch
Patch7: oscap-anaconda-addon-1.2-new_package_groups-PR_128.patch
Patch2: oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch
Patch3: oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch
BuildArch: noarch
BuildRequires: make
@ -48,16 +44,11 @@ content.
%prep
%setup -q -n %{name}-%{version}
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
# As patches may translates the strings that are updated by later patches,
# Patch1 needs to be aplied last.
%patch1 -p1
%patch2 -p1
%patch3 -p1
# NOTE CONCERNING TRANSLATION PATCHES
# When preparing translation patches, don't consider that some languages are unsupported -
# we aim to include all applicable translation texts to the appropriate patch.
@ -79,6 +70,30 @@ make install DESTDIR=%{buildroot}
%doc COPYING ChangeLog README.md
%changelog
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-4
- Updated translations
Resolves: rhbz#1962007
* Mon Aug 09 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-3
- Fix handling of archives with directories in GUI installs
- Resolves: rhbz#1691305
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-2
- Refactor content identification
- Resolves: rhbz#1989441
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Fri Jul 16 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-2
- Updated translations
- Resolves: rhbz#1938623
* Fri Jun 25 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Mon Feb 15 2021 Matej Tyc <matyc@redhat.com> - 1.1.1-7
- Updated translations.