rpms/oscap-anaconda-addon
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import oscap-anaconda-addon-2.0.0-8.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 04:50:47 -04:00 committed by Stepan Oksanichenko
commit b253cbc57f
11 changed files with 2451 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/addon-dbus-data.zip
SOURCES/oscap-anaconda-addon-2.0.0.tar.gz

2
.oscap-anaconda-addon.metadata Normal file
View File

@ -0,0 +1,2 @@
5645cafa41192e05989f7333db23e20bb7f35604 SOURCES/addon-dbus-data.zip
d04955d3fcae16a86087af731e837d5ce06fe349 SOURCES/oscap-anaconda-addon-2.0.0.tar.gz

1526
SOURCES/lang.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/oscap-anaconda-addon-1.2.2-dbus_show_integration-PR_182.patch Normal file
View File

@ -0,0 +1,39 @@
From 20843d815a82d10cba773f4e10e9a45c57d5e12e Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 18 Aug 2021 10:54:20 +0200
Subject: [PATCH] Don't show the OSCAP spoke if the OSCAP DBus module is
disabled
Add-ons can be disabled in the Anaconda configuration files. Without the fix,
the OSCAP DBus module is started on demand by the OSCAP spoke even though it
shouldn't be activated. In the future, it will result in a failure of the
installer.
Related: rhbz#1994003
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 36c8d7a..fe26076 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -36,6 +36,7 @@
from org_fedora_oscap.structures import PolicyData
from pyanaconda.modules.common.constants.services import USERS
+from pyanaconda.modules.common.util import is_module_available
from pyanaconda.threading import threadMgr, AnacondaThread
from pyanaconda.ui.gui.spokes import NormalSpoke
from pyanaconda.ui.communication import hubQ
@@ -203,6 +204,10 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @classmethod
+ def should_run(cls, environment, data):
+ return is_module_available(OSCAP)
+
# methods defined by API and helper methods #
def __init__(self, data, storage, payload):
"""

14
SOURCES/oscap-anaconda-addon-2.0.1-fix_archive_handling-PR_170.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index bc14ef1..ccfe6c8 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -225,7 +225,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase

22
SOURCES/oscap-anaconda-addon-2.0.1-fix_fingerprint-PR_177.patch Normal file
View File

@ -0,0 +1,22 @@
From c72b95146650b0debc36b8da546b60a9d5482ab3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:28:24 +0200
Subject: [PATCH] Fix bad destination for the parsed content fingerprint
---
org_fedora_oscap/service/kickstart.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index d6f22ac..dc1a100 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -140,7 +140,7 @@ def _parse_fingerprint(self, value):
msg = "Unsupported fingerprint"
raise KickstartValueError(msg)
- self.fingerprint = value
+ self.policy_data.fingerprint = value
def _parse_certificates(self, value):
self.policy_data.certificates = value

32
SOURCES/oscap-anaconda-addon-2.0.1-fix_no_hardening-PR_176.patch Normal file
View File

@ -0,0 +1,32 @@
From 56806b88b139d62276e8522bb3daf7d4fb02df84 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:05:55 +0200
Subject: [PATCH] Represent unselected profile by an empty string
None can't be passed via the DBUS interface.
---
org_fedora_oscap/gui/spokes/oscap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 4425757..36c8d7a 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -244,7 +244,7 @@ def __init__(self, data, storage, payload):
self.__old_root_pw = None
# used to check if the profile was changed or not
- self._active_profile = None
+ self._active_profile = ""
# prevent multiple simultaneous data fetches
self._fetching = False
@@ -719,7 +719,7 @@ def _unselect_profile(self, profile_id):
self._revert_rootpw_changes()
self._rule_data = None
- self._active_profile = None
+ self._active_profile = ""
@async_action_wait
def _select_profile(self, profile_id):

29
SOURCES/oscap-anaconda-addon-2.0.1-rhel9_tailoring_fix-PR_180.patch Normal file
View File

@ -0,0 +1,29 @@
From a306b736f144260721dfae25f0b268353d6760c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 25 Nov 2021 15:15:14 +0100
Subject: [PATCH] Fix tailoring
Fixes an error during installation caused during tailoring
Addressing:
dasbus.error.DBusError: Content evaluation and remediation with the oscap tool failed: OpenSCAP Error: Unable to open file: '/tmp/openscap_data/usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml' [/builddir/build/BUILD/openscap-1.3.5/src/source/oscap_source.c:288]
This is proabably a typo coming from 87509fb6ee22b6eeaa66ea4ae85ebf5abd353e14
which is only in rhel9-branch.
---
org_fedora_oscap/service/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index 4237a47..65da08b 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -221,7 +221,7 @@ def install_with_tasks(self):
sysroot=conf.target.system_root,
policy_data=self.policy_data,
target_content_path=common.get_postinst_content_path(self.policy_data),
- target_tailoring_path=common.get_preinst_tailoring_path(self.policy_data)
+ target_tailoring_path=common.get_postinst_tailoring_path(self.policy_data)
)
]

460
SOURCES/oscap-anaconda-addon-2.0.1-various_bugfixes-PR_166.patch Normal file
View File

@ -0,0 +1,460 @@
From aeb0e2ed5a524c5d4e5b72b2b11ea74a5119d45a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:23:17 +0200
Subject: [PATCH 1/3] Improve logging
Make all log entries identifiable easily.
---
org_fedora_oscap/common.py | 4 ++--
org_fedora_oscap/content_discovery.py | 16 +++++++++++-----
org_fedora_oscap/gui/spokes/oscap.py | 19 ++++++++++++-------
org_fedora_oscap/rule_handling.py | 8 ++++----
org_fedora_oscap/service/installation.py | 6 +++---
org_fedora_oscap/service/kickstart.py | 2 +-
org_fedora_oscap/service/oscap.py | 12 ++++++------
7 files changed, 39 insertions(+), 28 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index a307baa..c432168 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -564,7 +564,7 @@ def get_content_name(data):
def get_raw_preinst_content_path(data):
"""Path to the raw (unextracted, ...) pre-installation content file"""
if data.content_type == "scap-security-guide":
- log.debug("Using scap-security-guide, no single content file")
+ log.debug("OSCAP addon: Using scap-security-guide, no single content file")
return None
content_name = get_content_name(data)
@@ -667,7 +667,7 @@ def set_packages_data(data: PackagesConfigurationData):
payload_proxy = get_payload_proxy()
if payload_proxy.Type != PAYLOAD_TYPE_DNF:
- log.debug("The payload doesn't support packages.")
+ log.debug("OSCAP addon: The payload doesn't support packages.")
return
return payload_proxy.SetPackages(
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 894f3e1..bc14ef1 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -98,7 +98,7 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
def _fetch_files(self, scheme, path, destdir, ca_certs_path, what_if_fail):
with self.activity_lock:
if self.now_fetching_or_processing:
- msg = "Strange, it seems that we are already fetching something."
+ msg = "OSCAP Addon: Strange, it seems that we are already fetching something."
log.warn(msg)
return
self.now_fetching_or_processing = True
@@ -175,7 +175,7 @@ def finish_content_fetch(self, fetching_thread_name, fingerprint, report_callbac
def _verify_fingerprint(self, dest_filename, fingerprint=""):
if not fingerprint:
- log.info("No fingerprint provided, skipping integrity check")
+ log.info("OSCAP Addon: No fingerprint provided, skipping integrity check")
return
hash_obj = utils.get_hashing_algorithm(fingerprint)
@@ -183,15 +183,19 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
hash_obj)
if digest != fingerprint:
log.error(
+ "OSCAP Addon: "
f"File {dest_filename} failed integrity check - assumed a "
f"{hash_obj.name} hash and '{fingerprint}', got '{digest}'"
)
- msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
+ msg = _(f"OSCAP Addon: Integrity check of the content failed - {hash_obj.name} hash didn't match")
raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
- threadMgr.wait(wait_for)
+ if wait_for:
+ log.info(f"OSCAP Addon: Waiting for thread {wait_for}")
+ threadMgr.wait(wait_for)
+ log.info(f"OSCAP Addon: Finished waiting for thread {wait_for}")
actually_fetched_content = wait_for is not None
if fingerprint and dest_filename:
@@ -201,6 +205,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content = ObtainedContent(self.CONTENT_DOWNLOAD_LOCATION)
content_type = self.get_content_type(str(dest_filename))
+ log.info(f"OSCAP Addon: started to look at the content")
if content_type in ("archive", "rpm"):
structured_content.add_content_archive(dest_filename)
@@ -211,6 +216,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if fingerprint and dest_filename:
structured_content.record_verification(dest_filename)
+ log.info(f"OSCAP Addon: finished looking at the content")
return structured_content
def _gather_available_files(self, actually_fetched_content, dest_filename):
@@ -232,7 +238,7 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
)
except common.ExtractionError as err:
msg = f"Failed to extract the '{dest_filename}' archive: {str(err)}"
- log.error(msg)
+ log.error("OSCAP Addon: " + msg)
raise err
elif content_type == "file":
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 76e508f..332e956 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -331,6 +331,7 @@ def initialize(self):
# if no content was specified and SSG is available, use it
if not self._policy_data.content_type and common.ssg_available():
+ log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
@@ -351,7 +352,7 @@ def initialize(self):
self._fetch_data_and_initialize()
def _handle_error(self, exception):
- log.error(str(exception))
+ log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
self._invalid_url()
elif isinstance(exception, common.OSCAPaddonNetworkError):
@@ -365,7 +366,7 @@ def _handle_error(self, exception):
elif isinstance(exception, content_handling.ContentCheckError):
self._integrity_check_failed()
else:
- log.exception("Unknown exception occurred", exc_info=exception)
+ log.exception("OSCAP Addon: Unknown exception occurred", exc_info=exception)
self._general_content_problem()
def _render_selected(self, column, renderer, model, itr, user_data=None):
@@ -385,6 +386,7 @@ def _fetch_data_and_initialize(self):
thread_name = None
if self._policy_data.content_url and self._policy_data.content_type != "scap-security-guide":
+ log.info(f"OSCAP Addon: Actually fetching content from somewhere")
thread_name = self.content_bringer.fetch_content(
self._handle_error, self._policy_data.certificates)
@@ -442,7 +444,7 @@ def update_progress_label(msg):
msg += f" with tailoring {preinst_tailoring_path}"
else:
msg += " without considering tailoring"
- log.info(msg)
+ log.info("OSCAP Addon: " + msg)
self._content_handler = scap_content_handler.SCAPContentHandler(
preinst_content_path,
@@ -456,7 +458,7 @@ def update_progress_label(msg):
return
- log.info("OAA: Done with analysis")
+ log.info("OSCAP Addon: Done with analysis")
self._ds_checklists = self._content_handler.get_data_streams_checklists()
if self._using_ds:
@@ -592,7 +594,7 @@ def _update_profiles_store(self):
try:
profiles = self._content_handler.get_profiles()
except scap_content_handler.SCAPContentHandlerError as e:
- log.warning(str(e))
+ log.warning("OSCAP Addon: " + str(e))
self._invalid_content()
for profile in profiles:
@@ -736,7 +738,7 @@ def _select_profile(self, profile_id):
ds, xccdf, common.get_preinst_tailoring_path(self._policy_data))
except common.OSCAPaddonError as exc:
log.error(
- "Failed to get rules for the profile '{}': {}"
+ "OSCAP Addon: Failed to get rules for the profile '{}': {}"
.format(profile_id, str(exc)))
self._set_error(
"Failed to get rules for the profile '{}'"
@@ -908,6 +910,7 @@ def refresh(self):
def _refresh_ui(self):
"""Refresh the UI elements."""
if not self._content_defined:
+ log.info("OSCAP Addon: Content not defined")
# hide the control buttons
really_hide(self._control_buttons)
@@ -1156,7 +1159,9 @@ def on_fetch_button_clicked(self, *args):
with self._fetch_flag_lock:
if self._fetching:
# some other fetching/pre-processing running, give up
- log.warn("Clicked the fetch button, although the GUI is in the fetching mode.")
+ log.warn(
+ "OSCAP Addon: "
+ "Clicked the fetch button, although the GUI is in the fetching mode.")
return
# prevent user from changing the URL in the meantime
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index c478aa0..244aac8 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -261,7 +261,7 @@ def new_rule(self, rule):
try:
actions[first_word](rule)
except (ModifiedOptionParserException, KeyError) as e:
- log.warning("Unknown OSCAP Addon rule '{}': {}".format(rule, e))
+ log.warning("OSCAP Addon: Unknown OSCAP Addon rule '{}': {}".format(rule, e))
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
@@ -565,7 +565,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
# root password set
if users_proxy.IsRootPasswordCrypted:
msg = _("cannot check root password length (password is crypted)")
- log.warning("cannot check root password length (password is crypted)")
+ log.warning("OSCAP Addon: cannot check root password length (password is crypted)")
return [RuleMessage(self.__class__,
common.MESSAGE_TYPE_WARNING, msg)]
elif len(users_proxy.RootPassword) < self._minlen:
@@ -880,7 +880,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
kdump_proxy.KdumpEnabled = self._kdump_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping kdump configuration")
return messages
@@ -894,7 +894,7 @@ def revert_changes(self, ksdata, storage):
if self._kdump_enabled is not None:
kdump_proxy.KdumpEnabled = self._kdump_default_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping reverting kdump configuration")
self._kdump_enabled = None
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index e3a1d0f..2da8559 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -28,14 +28,14 @@
from org_fedora_oscap.content_handling import ContentCheckError
from org_fedora_oscap import content_discovery
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
REQUIRED_PACKAGES = ("openscap", "openscap-scanner",)
def _handle_error(exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error("OSCAP Addon: Failed to fetch and initialize SCAP content!")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")
@@ -87,7 +87,7 @@ def run(self):
content = self.content_bringer.finish_content_fetch(
fetching_thread_name, self._policy_data.fingerprint,
- lambda msg: log.info(msg), content_dest, _handle_error)
+ lambda msg: log.info("OSCAP Addon: " + msg), content_dest, _handle_error)
if not content:
# this shouldn't happen because error handling is supposed to
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index 341c6c5..d6f22ac 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -25,7 +25,7 @@
from org_fedora_oscap import common, utils
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPKickstartSpecification"]
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index d491060..4237a47 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -34,7 +34,7 @@
from org_fedora_oscap.service.oscap_interface import OSCAPInterface
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPService"]
@@ -71,7 +71,7 @@ def policy_enabled(self, value):
"""
self._policy_enabled = value
self.policy_enabled_changed.emit()
- log.debug("Policy enabled is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy enabled is set to '%s'.", value)
@property
def policy_data(self):
@@ -89,7 +89,7 @@ def policy_data(self, value):
"""
self._policy_data = value
self.policy_data_changed.emit()
- log.debug("Policy data is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy data is set to '%s'.", value)
@property
def installation_enabled(self):
@@ -150,7 +150,7 @@ def collect_requirements(self):
:return: a list of requirements
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the requirements.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the requirements.")
return []
requirements = [
@@ -180,7 +180,7 @@ def configure_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the configuration.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the configuration.")
return []
tasks = [
@@ -205,7 +205,7 @@ def install_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the installation.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the installation.")
return []
tasks = [
From b081e32012b93177167d3f7d0cc2024deb50e965 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:24:15 +0200
Subject: [PATCH 2/3] Save addon data when using local content
Addon loads its data from the shared storage upon refresh,
which caused it to overwrite clicking on the "use SSG content" button.
Now the data is saved after clicking that button, and convenience
load/save methods were introduced.
---
org_fedora_oscap/gui/spokes/oscap.py | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 332e956..4425757 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -232,11 +232,8 @@ def __init__(self, data, storage, payload):
# the proxy to OSCAP DBus module
self._oscap_module = OSCAP.get_proxy()
- # the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- self._policy_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
+ self._policy_data = PolicyData()
+ self._load_policy_data()
# used for changing profiles
self._rule_data = None
@@ -334,6 +331,7 @@ def initialize(self):
log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
+ self._save_policy_data()
if not self._content_defined:
# nothing more to be done now, the spoke is ready
@@ -351,6 +349,16 @@ def initialize(self):
# else fetch data
self._fetch_data_and_initialize()
+ def _save_policy_data(self):
+ self._oscap_module.PolicyData = PolicyData.to_structure(self._policy_data)
+ self._oscap_module.PolicyEnabled = self._policy_enabled
+
+ def _load_policy_data(self):
+ self._policy_data.update_from(PolicyData.from_structure(
+ self._oscap_module.PolicyData
+ ))
+ self._policy_enabled = self._oscap_module.PolicyEnabled
+
def _handle_error(self, exception):
log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
@@ -897,13 +905,7 @@ def refresh(self):
:see: pyanaconda.ui.common.UIObject.refresh
"""
- # update the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- fresh_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
-
- self._policy_data.update_from(fresh_data)
+ self._load_policy_data()
# update the UI elements
self._refresh_ui()
@@ -1202,4 +1204,5 @@ def on_change_content_clicked(self, *args):
def on_use_ssg_clicked(self, *args):
self.content_bringer.use_system_content()
+ self._save_policy_data()
self._fetch_data_and_initialize()
From fee170f54aeb9f649ab891781532012a7b069f8f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH 3/3] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989434
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

52
SOURCES/oscap-anaconda-addon-2.1.0-unified_help-PR_192.patch Normal file
View File

@ -0,0 +1,52 @@
From 3d7a943969d542392134f55078eadb0793b094dc Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:03 +0200
Subject: [PATCH 1/2] Specify a unique screen id
All spokes and hubs should provide a unique id.
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index fe26076..44c7ced 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -204,6 +204,11 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @staticmethod
+ def get_screen_id():
+ """Return a unique id of this UI screen."""
+ return "security-policy-selection"
+
@classmethod
def should_run(cls, environment, data):
return is_module_available(OSCAP)
From ae9fdc9e6e189db215aeb39f2881311e5281587b Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:51 +0200
Subject: [PATCH 2/2] Remove the help_id attribute
The help_id attribute is no longer used. Specify a screen id
or redefine the help handler to provide the built-in help.
---
org_fedora_oscap/gui/spokes/oscap.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 44c7ced..6d0aa5c 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -185,9 +185,6 @@ class OSCAPSpoke(NormalSpoke):
# name of the .glade file in the same directory as this source
uiFile = "oscap.glade"
- # id of the help content for this spoke
- help_id = "SecurityPolicySpoke"
-
# domain of oscap-anaconda-addon translations
translationDomain = "oscap-anaconda-addon"

273
SPECS/oscap-anaconda-addon.spec Normal file
View File

@ -0,0 +1,273 @@
%if 0%{?rhel} == 8
%define anaconda_core_version 33
%endif
%if 0%{?rhel} == 9
%define anaconda_core_version 34
%endif
%if 0%{?fedora}
%define anaconda_core_version %{fedora}
%endif
Name: oscap-anaconda-addon
Version: 2.0.0
Release: 8%{?dist}
Summary: Anaconda addon integrating OpenSCAP to the installation process
License: GPLv2+
URL: https://github.com/OpenSCAP/oscap-anaconda-addon
Source0: https://github.com/OpenSCAP/oscap-anaconda-addon/releases/download/r%{version}/%{name}-%{version}.tar.gz
# TODO: Remove when the fixed upstream release contains dbus service data
Source1: addon-dbus-data.zip
Patch1: lang.patch
Patch2: oscap-anaconda-addon-2.0.1-various_bugfixes-PR_166.patch
Patch3: oscap-anaconda-addon-2.0.1-fix_archive_handling-PR_170.patch
Patch4: oscap-anaconda-addon-2.0.1-fix_no_hardening-PR_176.patch
Patch5: oscap-anaconda-addon-2.0.1-fix_fingerprint-PR_177.patch
Patch6: oscap-anaconda-addon-2.0.1-rhel9_tailoring_fix-PR_180.patch
Patch7: oscap-anaconda-addon-1.2.2-dbus_show_integration-PR_182.patch
Patch8: oscap-anaconda-addon-2.1.0-unified_help-PR_192.patch
BuildArch: noarch
BuildRequires: make
BuildRequires: gettext
BuildRequires: python3-devel
BuildRequires: python3-pycurl
BuildRequires: openscap openscap-utils openscap-python3
BuildRequires: anaconda-core >= %{anaconda_core_version}
Requires: anaconda-core >= %{anaconda_core_version}
Requires: python3-pycurl
Requires: python3-kickstart
Requires: openscap openscap-utils openscap-python3
Requires: scap-security-guide
%description
This is an addon that integrates OpenSCAP utilities with the Anaconda installer
and allows installation of systems following restrictions given by a SCAP
content.
%prep
%autosetup -p1
unzip %{_sourcedir}/addon-dbus-data.zip
%build
%check
%install
make install DESTDIR=%{buildroot}
%find_lang %{name}
%files -f %{name}.lang
%{_datadir}/anaconda/addons/org_fedora_oscap
%{_datadir}/anaconda/dbus/confs/org.fedoraproject.Anaconda.Addons.OSCAP.conf
%{_datadir}/anaconda/dbus/services/org.fedoraproject.Anaconda.Addons.OSCAP.service
%doc COPYING ChangeLog README.md
%changelog
* Mon Jan 24 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-8
- Introduce unified help support
Resolves: rhbz#2043512
- Update translations
Resolves: rhbz#2017374
* Mon Dec 13 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-7
- Don't show the OSCAP spoke if the OSCAP DBus module is disabled
Resolves: rhbz#2018954
* Thu Nov 25 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-6
- Fix handling of tailoring in RHEL9
Resolves: rhbz#1996129
* Wed Nov 10 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-5
- Fix handling of content archives
Resolves: rhbz#1996129
- Fix handling of content fingerprint
Resolves: rhbz#1993065
- Fix crash when a previously selected hardening has been cancelled
Resolves: rhbz#2014108
- Pull latest translations
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-4
- Update translations
Resolves: rhbz#1962112
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-2
- Fix issues with locally installed content and labelling of discovered content.
- Resolves: rhbz#1989434
* Fri Jul 02 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-1
- Rebase to the 2.0.0 upstream release.
- Remove the cpio dependency which is not needed any more.
* Wed Jun 23 2021 Jan Černý <jcerny@redhat.com> - 1.0-11
- Rebuild after test config change in test.yml
* Mon Jun 14 2021 Matej Tyc <matyc@redhat.com> - 1.0-10
- Unified the spec file with the Fedora one.
- Removed unwanted dependencies.
- nose is not needed for a long time.
- mock has been moved into the Python standard library, so it is also not needed.
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0-9
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Aug 12 2019 Matěj Týč <matyc@redhat.com> - 1.0-5
- Disabled execution of tests, as they are not meant to be executed in the build environment.
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 03 2018 Matěj Týč <matyc@redhat.com> - 1.0-1
- Rebased to upstream version 1.0
- Python3 support, anaconda 28 support.
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7-7
- Escape macros in %%changelog
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jan 07 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-1
- Adapt to changes in Anaconda
- Define name of the spoke window
- Set fetching flag to False when extraction error happens
- Remove code that was pushed to the anaconda's sources
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-2
- Rebuild with building issues fixed
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-1
- Getting status needs to run in the main thread
- Grab focus for the URL entry after switching notebook page
- Clear rule data when unselecting profile
- Update message as part of the initialization
- Add BuildRequires: gettext
- Include translations in the tarball and RPM
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.5-1
- Allow users to change content
- Show and hide control buttons properly
- Fix sensitivity of the URL entry and fetch button
- Add the button allowing users to use SSG content if available
- Fix listing python sources when creating potfile and regenerate it
- Omit the %%addon section from kickstart in dry-run mode
- Implement the dry-run mode in the GUI (trac#2)
- Add UI elements for content changing and dry-run mode
- Check content_defined instead of content_url in the GUI code
- First select the profile, then update the message store
- Remove unused import
- Ignore some more temporary/backup files
- If no content is specified and SSG is available, use it
- New special content type -- SCAP Security Guide
- Fix name of the property used when doing fingerprint check
- Get rid of an unused variable
- Fix data fetch locking to work properly with kickstart installations
- Use 'anonymous:' if no username and password is given for FTP
- Initial version of the translations template file
- First steps to dry-run mode
- Fix main notebook tabs
- Make translations work
- Manipulation with the i18n related files
- If no profile is given, default to default
- Ignore updates.img and its auxiliary directory
- Catch only fetching errors from the fetching thread
- Do not allow multiple simultaneous fetches/initializations
- Prevent user from changing the URL while we try to fetch from it
- Add support for the Default profile
- Support FTP as a content source (#1050980)
- React properly on archive extraction failure
- Refactor the code pre-processing the fetched content
- Unify exceptions from archive extraction
- Make pylint check mandatory to pass
- Support for hash based content integrity checking
* Tue Jan 14 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-1
- Beware of running Gtk actions from a non-main thread
- Fix path to the tailoring file when getting rules
- A git hook for running tests when pushing
- Inform user if no profile is selected
- Visually mark the selected profile
- Better UX with content URL entry and progress label
- React on invalid content properly (#1032846)
- Stop spinner when data fetching is finished
- Make the data fetching thread non-fatal (#1049989)
- Exit code 2 from the oscap tool is not an error for us (#1050913)
- Be ready to work with archives/RPMs containing data streams
- Add unit tests for the keep_type_map function
- Add support for namedtuples to keep_type_map
- Add target for running pylint check
- Add target for running just unittests
- On the way to tailoring
- Tests for kickstart XCCDF tailoring handling
- Kickstart support for XCCDF tailoring
- Check session validity also when using XCCDF benchmark
* Tue Dec 10 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.3-1
- Implement and use our own better function for joining paths
- The content entry should have focus if there is no content
- RPM is just a weird archive in the pre-installation phase
- Ignore RPM files as well
- Adapt tests to dir constants now ending with "/"
- CpioArchive cannot be created from a piped output
- Fix namespace definitions in the testing XCCDF file
- Prevent putting None into xccdf_session_is_sds
- Fix the __all__ variable in the common module
- Strip content dir prefix when setting xccdf/cpe paths
- Inform user we now support archive URLs as well
- Ignore various file types in the git repository
- Try to find content files in the fetched archive or RPM
- Run pylint -E as part of the test target
- Return list of extracted files/directories when extracting archive
- Do not try to search for empty file paths in archives
- Properly set the content type based on the URL's suffix
- Switch profiles on double-click
- Hook urlEntry's activate signal to fetchButton click
- Save the spoke's glade file with a new Glade
- The addon now requires the python-cpio package
- Use really_hide for the UI elements for datastream-id and xccdf-id
- Support for RPM content in the GUI spoke
- RPM content support for kickstart processing
- Add property for the raw post-installation content path
- Make content type case insensitive
- Rest of the code needed for RPM extraction
- Actually look for the file path in entry names
- Basic stuff needed for the RPM content support
- Run tests in paralel
- Specify files in a better way in spec
* Mon Oct 21 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.2-1
- Initial RPM for the oscap-anaconda-addon