rpms
/
oscap-anaconda-addon
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c8-beta
rpms:c9-beta
rpms:c9s
rpms:c9
rpms:c8s
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-14.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-17.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-16.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-16.el9
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-11.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-10.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-12.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-12.el9
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-7.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-8.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-6.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-8.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-7.el9
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-6.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-4.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.1.1-7.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.1.1-3.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.0-10.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.0-9.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-3.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-2.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-1.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.0-2.el8
rpms:imports/c8/oscap-anaconda-addon-1.1.1-7.el8
rpms:imports/c8/oscap-anaconda-addon-1.1.1-5.el8
rpms:imports/c8/oscap-anaconda-addon-1.0-10.el8
rpms:imports/c8/oscap-anaconda-addon-1.0-9.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c8-beta
rpms:c9-beta
rpms:c9s
rpms:c8
rpms:c9
rpms:c8s
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-14.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-17.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-16.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-16.el9
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-12.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-11.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-10.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-12.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-12.el9
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-8.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-7.el8
rpms:imports/c9/oscap-anaconda-addon-2.0.0-8.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-6.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-8.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-7.el9
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-5.el8
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-6.el9
rpms:imports/c9-beta/oscap-anaconda-addon-2.0.0-4.el9
rpms:imports/c8/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.1.1-7.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.1.1-3.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.0-10.el8
rpms:imports/c8-beta/oscap-anaconda-addon-1.0-9.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-4.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-3.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-2.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.1-1.el8
rpms:imports/c8s/oscap-anaconda-addon-1.2.0-2.el8
rpms:imports/c8/oscap-anaconda-addon-1.1.1-7.el8
rpms:imports/c8/oscap-anaconda-addon-1.1.1-5.el8
rpms:imports/c8/oscap-anaconda-addon-1.0-10.el8
rpms:imports/c8/oscap-anaconda-addon-1.0-9.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

22 changed files with 8653 additions and 1024 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/oscap-anaconda-addon-1.2.1.tar.gz
SOURCES/addon-dbus-data.zip
SOURCES/oscap-anaconda-addon-2.0.0.tar.gz

3
.oscap-anaconda-addon.metadata
View File

@ -1 +1,2 @@
9ddad97065dcdcaa475051ad576cd9f2e9a5a2cc SOURCES/oscap-anaconda-addon-1.2.1.tar.gz
5645cafa41192e05989f7333db23e20bb7f35604 SOURCES/addon-dbus-data.zip
d04955d3fcae16a86087af731e837d5ce06fe349 SOURCES/oscap-anaconda-addon-2.0.0.tar.gz

7588
SOURCES/lang.patch
View File

File diff suppressed because it is too large Load Diff

206
SOURCES/oscap-anaconda-addon-1.2.2-absent_appstream-PR_184.patch
View File

@ -1,206 +0,0 @@
From 8eacfad08b3c27aa9510f2c3337356581bd9bebd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:31:49 +0100
Subject: [PATCH 1/3] Add oscap sanity check before attempting remediation
If something is obviously wrong with the scanner, then don't attempt to remediate
and try to show relevant information in a dialog window.
---
org_fedora_oscap/common.py | 39 ++++++++++++++++++++++++++++--------
org_fedora_oscap/ks/oscap.py | 11 ++++++++++
tests/test_common.py | 8 ++++++++
3 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index 884bbc8..05829ce 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -139,7 +139,8 @@ def execute(self, ** kwargs):
proc = subprocess.Popen(self.args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, ** kwargs)
except OSError as oserr:
- msg = "Failed to run the oscap tool: %s" % oserr
+ msg = ("Failed to execute command '{command_string}': {oserr}"
+ .format(command_string=command_string, oserr=oserr))
raise OSCAPaddonError(msg)
(stdout, stderr) = proc.communicate()
@@ -215,6 +216,34 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="",
return proc.stdout
+def do_chroot(chroot):
+ """Helper function doing the chroot if requested."""
+ if chroot and chroot != "/":
+ os.chroot(chroot)
+ os.chdir("/")
+
+
+def assert_scanner_works(chroot, executable="oscap"):
+ args = [executable, "--version"]
+ command = " ".join(args)
+
+ try:
+ proc = subprocess.Popen(
+ args, preexec_fn=lambda: do_chroot(chroot),
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ (stdout, stderr) = proc.communicate()
+ stderr = stderr.decode(errors="replace")
+ except OSError as exc:
+ msg = _(f"Basic invocation '{command}' fails: {str(exc)}")
+ raise OSCAPaddonError(msg)
+ if proc.returncode != 0:
+ msg = _(
+ f"Basic scanner invocation '{command}' exited "
+ "with non-zero error code {proc.returncode}: {stderr}")
+ raise OSCAPaddonError(msg)
+ return True
+
+
def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
chroot=""):
"""
@@ -244,12 +273,6 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
if not profile:
return ""
- def do_chroot():
- """Helper function doing the chroot if requested."""
- if chroot and chroot != "/":
- os.chroot(chroot)
- os.chdir("/")
-
# make sure the directory for the results exists
results_dir = os.path.dirname(RESULTS_PATH)
if chroot:
@@ -274,7 +297,7 @@ def do_chroot():
args.append(fpath)
proc = SubprocessLauncher(args)
- proc.execute(preexec_fn=do_chroot)
+ proc.execute(preexec_fn=lambda: do_chroot(chroot))
proc.log_messages()
if proc.returncode not in (0, 2):
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index 65d74cf..da1600f 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -488,6 +488,17 @@ def execute(self, storage, ksdata, users, payload):
# selected
return
+ try:
+ common.assert_scanner_works(
+ chroot=conf.target.system_root, executable="oscap")
+ except Exception as exc:
+ msg_lines = [_(
+ "The 'oscap' scanner doesn't work in the installed system: {error}"
+ .format(error=str(exc)))]
+ msg_lines.append(_("As a result, the installed system can't be hardened."))
+ self._terminate("\n".join(msg_lines))
+ return
+
target_content_dir = utils.join_paths(conf.target.system_root,
common.TARGET_CONTENT_DIR)
utils.ensure_dir_exists(target_content_dir)
diff --git a/tests/test_common.py b/tests/test_common.py
index 9f7a16a..4f25379 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -77,6 +77,14 @@ def _run_oscap(mock_subprocess, additional_args):
return expected_args, kwargs
+def test_oscap_works():
+ assert common.assert_scanner_works(chroot="/")
+ with pytest.raises(common.OSCAPaddonError, match="No such file"):
+ common.assert_scanner_works(chroot="/", executable="i_dont_exist")
+ with pytest.raises(common.OSCAPaddonError, match="non-zero"):
+ common.assert_scanner_works(chroot="/", executable="false")
+
+
def test_run_oscap_remediate_profile_only(mock_subprocess, monkeypatch):
return run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
From b54cf2bddba56e5b776fb60514a5e29d47c74cac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:42:31 +0100
Subject: [PATCH 2/3] Don't raise exceptions in execute()
Those result in tracebacks during the installation,
while a dialog window presents a more useful form of user interaction.
---
org_fedora_oscap/ks/oscap.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index da1600f..d3f0dbe 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -513,8 +513,9 @@ def execute(self, storage, ksdata, users, payload):
ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
self.raw_postinst_content_path])
if ret != 0:
- raise common.ExtractionError("Failed to install content "
- "RPM to the target system")
+ msg = _(f"Failed to install content RPM to the target system.")
+ self._terminate(msg)
+ return
elif self.content_type == "scap-security-guide":
# nothing needed
pass
@@ -525,10 +526,15 @@ def execute(self, storage, ksdata, users, payload):
if os.path.exists(self.preinst_tailoring_path):
shutil.copy2(self.preinst_tailoring_path, target_content_dir)
- common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
- self.datastream_id, self.xccdf_id,
- self.postinst_tailoring_path,
- chroot=conf.target.system_root)
+ try:
+ common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
+ self.datastream_id, self.xccdf_id,
+ self.postinst_tailoring_path,
+ chroot=conf.target.system_root)
+ except Exception as exc:
+ msg = _(f"Something went wrong during the final hardening: {str(exc)}.")
+ self._terminate(msg)
+ return
def clear_all(self):
"""Clear all the stored values."""
From 00d770d1b7f8e1f0734e93da227f1c3e445033c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:44:12 +0100
Subject: [PATCH 3/3] Change the error feedback based on the installation mode
The original approach was confusing, because non-interactive installs run without any user input,
and the message assumed that the user is able to answer installer's questions.
---
org_fedora_oscap/ks/oscap.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index d3f0dbe..ef34448 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -372,13 +372,14 @@ def postinst_tailoring_path(self):
self.tailoring_path)
def _terminate(self, message):
- message += "\n" + _("The installation should be aborted.")
- message += " " + _("Do you wish to continue anyway?")
if flags.flags.automatedInstall and not flags.flags.ksprompt:
# cannot have ask in a non-interactive kickstart
# installation
+ message += "\n" + _("Aborting the installation.")
raise errors.CmdlineError(message)
+ message += "\n" + _("The installation should be aborted.")
+ message += " " + _("Do you wish to continue anyway?")
answ = errors.errorHandler.ui.showYesNoQuestion(message)
if answ == errors.ERROR_CONTINUE:
# prevent any futher actions here by switching to the dry

39
SOURCES/oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch
View File

@ -1,39 +0,0 @@
From 1abc4e96638e819d3fbee74396b36a6ccaf0ab29 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989441
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

39
SOURCES/oscap-anaconda-addon-1.2.2-dbus_show_integration-PR_182.patch Normal file
View File

@ -0,0 +1,39 @@
From 20843d815a82d10cba773f4e10e9a45c57d5e12e Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 18 Aug 2021 10:54:20 +0200
Subject: [PATCH] Don't show the OSCAP spoke if the OSCAP DBus module is
disabled
Add-ons can be disabled in the Anaconda configuration files. Without the fix,
the OSCAP DBus module is started on demand by the OSCAP spoke even though it
shouldn't be activated. In the future, it will result in a failure of the
installer.
Related: rhbz#1994003
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 36c8d7a..fe26076 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -36,6 +36,7 @@
from org_fedora_oscap.structures import PolicyData
from pyanaconda.modules.common.constants.services import USERS
+from pyanaconda.modules.common.util import is_module_available
from pyanaconda.threading import threadMgr, AnacondaThread
from pyanaconda.ui.gui.spokes import NormalSpoke
from pyanaconda.ui.communication import hubQ
@@ -203,6 +204,10 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @classmethod
+ def should_run(cls, environment, data):
+ return is_module_available(OSCAP)
+
# methods defined by API and helper methods #
def __init__(self, data, storage, payload):
"""

51
SOURCES/oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch
View File

@ -1,51 +0,0 @@
From 3377a914f4668af3d72216468ae192bc300890f9 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:45:58 +0200
Subject: [PATCH 1/2] Fix archive handling in GUI installs
GUI downloads an archive, so the ensuing installation doesn't have to.
However, the installation has to be able to discover files recovered
from the archive.
The fix makes sure that files are discovered also in subdirectories.
---
org_fedora_oscap/content_discovery.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index f6b4d27..5fc7343 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -196,7 +196,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase
From 191df327e3e51f486fb655e97acac30222c264fa Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:48:50 +0200
Subject: [PATCH 2/2] Improve logging
Logs written to log files can contain specific details.
---
org_fedora_oscap/ks/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index d1b8c9e..65d74cf 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -393,7 +393,7 @@ def _terminate(self, message):
time.sleep(100000)
def _handle_error(self, exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error(f"Failed to fetch and initialize SCAP content: {str(exception)}")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")

191
SOURCES/oscap-anaconda-addon-2.0.1-absent_appstream-PR_185.patch Normal file
View File

@ -0,0 +1,191 @@
From c92205d5a5c788eeac84a6e67956a3e0540ab565 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:31:49 +0100
Subject: [PATCH 1/2] Add oscap sanity check before attempting remediation
If something is obviously wrong with the scanner, then don't attempt to remediate
and try to show relevant information in a dialog window.
---
org_fedora_oscap/common.py | 39 +++++++++++++++++++-----
org_fedora_oscap/service/installation.py | 11 +++++++
tests/test_common.py | 8 +++++
tests/test_installation.py | 3 +-
4 files changed, 52 insertions(+), 9 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index c432168..eeb27fc 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -171,7 +171,8 @@ def execute(self, ** kwargs):
proc = subprocess.Popen(self.args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, ** kwargs)
except OSError as oserr:
- msg = "Failed to run the oscap tool: %s" % oserr
+ msg = ("Failed to execute command '{command_string}': {oserr}"
+ .format(command_string=command_string, oserr=oserr))
raise OSCAPaddonError(msg)
(stdout, stderr) = proc.communicate()
@@ -247,6 +248,34 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="",
return proc.stdout
+def do_chroot(chroot):
+ """Helper function doing the chroot if requested."""
+ if chroot and chroot != "/":
+ os.chroot(chroot)
+ os.chdir("/")
+
+
+def assert_scanner_works(chroot, executable="oscap"):
+ args = [executable, "--version"]
+ command = " ".join(args)
+
+ try:
+ proc = subprocess.Popen(
+ args, preexec_fn=lambda: do_chroot(chroot),
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ (stdout, stderr) = proc.communicate()
+ stderr = stderr.decode(errors="replace")
+ except OSError as exc:
+ msg = _(f"Basic invocation '{command}' fails: {str(exc)}")
+ raise OSCAPaddonError(msg)
+ if proc.returncode != 0:
+ msg = _(
+ f"Basic scanner invocation '{command}' exited "
+ "with non-zero error code {proc.returncode}: {stderr}")
+ raise OSCAPaddonError(msg)
+ return True
+
+
def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
chroot=""):
"""
@@ -276,12 +305,6 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
if not profile:
return ""
- def do_chroot():
- """Helper function doing the chroot if requested."""
- if chroot and chroot != "/":
- os.chroot(chroot)
- os.chdir("/")
-
# make sure the directory for the results exists
results_dir = os.path.dirname(RESULTS_PATH)
if chroot:
@@ -306,7 +329,7 @@ def do_chroot():
args.append(fpath)
proc = SubprocessLauncher(args)
- proc.execute(preexec_fn=do_chroot)
+ proc.execute(preexec_fn=lambda: do_chroot(chroot))
proc.log_messages()
if proc.returncode not in (0, 2):
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index 2da8559..d909c44 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -239,6 +239,17 @@ def name(self):
def run(self):
"""Run the task."""
+ try:
+ common.assert_scanner_works(
+ chroot=self._sysroot, executable="oscap")
+ except Exception as exc:
+ msg_lines = [_(
+ "The 'oscap' scanner doesn't work in the installed system: {error}"
+ .format(error=str(exc)))]
+ msg_lines.append(_("As a result, the installed system can't be hardened."))
+ terminate("\n".join(msg_lines))
+ return
+
common.run_oscap_remediate(
self._policy_data.profile_id,
self._target_content_path,
diff --git a/tests/test_common.py b/tests/test_common.py
index 9f7a16a..4f25379 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -77,6 +77,14 @@ def _run_oscap(mock_subprocess, additional_args):
return expected_args, kwargs
+def test_oscap_works():
+ assert common.assert_scanner_works(chroot="/")
+ with pytest.raises(common.OSCAPaddonError, match="No such file"):
+ common.assert_scanner_works(chroot="/", executable="i_dont_exist")
+ with pytest.raises(common.OSCAPaddonError, match="non-zero"):
+ common.assert_scanner_works(chroot="/", executable="false")
+
+
def test_run_oscap_remediate_profile_only(mock_subprocess, monkeypatch):
return run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
diff --git a/tests/test_installation.py b/tests/test_installation.py
index 5749a94..f819c3b 100644
--- a/tests/test_installation.py
+++ b/tests/test_installation.py
@@ -115,4 +115,5 @@ def test_remediate_system_task(sysroot_path, content_path, tailoring_path):
)
assert task.name == "Remediate the system"
- task.run()
+ with pytest.raises(installation.NonCriticalInstallationError, match="No such file"):
+ task.run()
From ea2dbf5017445875b1c0e4ee27899c8dde292c98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:42:31 +0100
Subject: [PATCH 2/2] Don't raise exceptions in execute()
Those result in tracebacks during the installation,
while a dialog window presents a more useful form of user interaction.
---
org_fedora_oscap/service/installation.py | 27 ++++++++++++++----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index d909c44..290da40 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -210,9 +210,9 @@ def run(self):
)
if ret != 0:
- raise common.ExtractionError(
- "Failed to install content RPM to the target system"
- )
+ msg = _(f"Failed to install content RPM to the target system.")
+ terminate(msg)
+ return
else:
pattern = utils.join_paths(common.INSTALLATION_CONTENT_DIR, "*")
utils.universal_copy(pattern, target_content_dir)
@@ -250,11 +250,16 @@ def run(self):
terminate("\n".join(msg_lines))
return
- common.run_oscap_remediate(
- self._policy_data.profile_id,
- self._target_content_path,
- self._policy_data.datastream_id,
- self._policy_data.xccdf_id,
- self._target_tailoring_path,
- chroot=self._sysroot
- )
+ try:
+ common.run_oscap_remediate(
+ self._policy_data.profile_id,
+ self._target_content_path,
+ self._policy_data.datastream_id,
+ self._policy_data.xccdf_id,
+ self._target_tailoring_path,
+ chroot=self._sysroot
+ )
+ except Exception as exc:
+ msg = _(f"Something went wrong during the final hardening: {str(exc)}.")
+ terminate(msg)
+ return

14
SOURCES/oscap-anaconda-addon-2.0.1-fix_archive_handling-PR_170.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index bc14ef1..ccfe6c8 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -225,7 +225,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase

22
SOURCES/oscap-anaconda-addon-2.0.1-fix_fingerprint-PR_177.patch Normal file
View File

@ -0,0 +1,22 @@
From c72b95146650b0debc36b8da546b60a9d5482ab3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:28:24 +0200
Subject: [PATCH] Fix bad destination for the parsed content fingerprint
---
org_fedora_oscap/service/kickstart.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index d6f22ac..dc1a100 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -140,7 +140,7 @@ def _parse_fingerprint(self, value):
msg = "Unsupported fingerprint"
raise KickstartValueError(msg)
- self.fingerprint = value
+ self.policy_data.fingerprint = value
def _parse_certificates(self, value):
self.policy_data.certificates = value

32
SOURCES/oscap-anaconda-addon-2.0.1-fix_no_hardening-PR_176.patch Normal file
View File

@ -0,0 +1,32 @@
From 56806b88b139d62276e8522bb3daf7d4fb02df84 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:05:55 +0200
Subject: [PATCH] Represent unselected profile by an empty string
None can't be passed via the DBUS interface.
---
org_fedora_oscap/gui/spokes/oscap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 4425757..36c8d7a 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -244,7 +244,7 @@ def __init__(self, data, storage, payload):
self.__old_root_pw = None
# used to check if the profile was changed or not
- self._active_profile = None
+ self._active_profile = ""
# prevent multiple simultaneous data fetches
self._fetching = False
@@ -719,7 +719,7 @@ def _unselect_profile(self, profile_id):
self._revert_rootpw_changes()
self._rule_data = None
- self._active_profile = None
+ self._active_profile = ""
@async_action_wait
def _select_profile(self, profile_id):

72
SOURCES/oscap-anaconda-addon-2.0.1-fix_strings-PR_207.patch Normal file
View File

@ -0,0 +1,72 @@
From 1b96504a8bbc198cce11647a0c3a65e1a3ffaba1 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 13 May 2022 14:44:45 +0200
Subject: [PATCH] Fix strings for translations
The input of the _() function has to be a static string,
and it was in those cases a formatted one,
which didn't match the translation data.
---
org_fedora_oscap/rule_handling.py | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 244aac8..635446e 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -707,10 +707,11 @@ def eval_rules(self, ksdata, storage, report_only=False):
messages = []
packages_data = get_packages_data()
+ msg_installed_template = _(
+ "package '%s' has been added to the list of to be installed packages")
# add messages for the already added packages
for pkg in self._added_pkgs:
- msg = _("package '%s' has been added to the list of to be installed "
- "packages" % pkg)
+ msg = msg_installed_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
@@ -724,11 +725,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
self._added_pkgs.add(pkg)
packages_data.packages.append(pkg)
- msg = _("package '%s' has been added to the list of to be installed "
- "packages" % pkg)
+ msg = msg_installed_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
+ msg_excluded_template = _(
+ "package '%s' has been added to the list of excluded packages")
# now do the same for the packages that should be excluded
# add messages for the already excluded packages
for pkg in self._removed_pkgs:
@@ -736,13 +738,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
msg = _(
"package '{package}' has been added to the list "
"of excluded packages, but it can't be removed "
- "from the current software selection without breaking the installation."
- .format(package=pkg))
+ "from the current software selection without breaking the installation.")
+ msg = msg.format(package=pkg)
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_FATAL, msg))
else:
- msg = _("package '%s' has been added to the list of excluded "
- "packages" % pkg)
+ msg = msg_excluded_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
@@ -756,8 +757,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
self._removed_pkgs.add(pkg)
packages_data.excluded_packages.append(pkg)
- msg = _("package '%s' has been added to the list of excluded "
- "packages" % pkg)
+ msg = msg_excluded_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))

26
SOURCES/oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch Normal file
View File

@ -0,0 +1,26 @@
From cdb131f0b1282f833b697ef4cb4eb934ca2e9966 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Jul 2023 15:27:24 +0200
Subject: [PATCH] Remove obsolete mapping of packages-groups
---
org_fedora_oscap/rule_handling.py | 6 ------
1 file changed, 6 deletions(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 635446e..7e2077c 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -59,12 +59,6 @@
"env": ["graphical-server-environment", "workstation-product-environment"],
"groups": ["workstation-product-environment"],
},
- "tftp": {
- "groups": ["network-server"],
- },
- "abrt": {
- "groups": ["debugging"],
- },
"gssproxy": {
"groups": ["file-server"],
},

29
SOURCES/oscap-anaconda-addon-2.0.1-rhel9_tailoring_fix-PR_180.patch Normal file
View File

@ -0,0 +1,29 @@
From a306b736f144260721dfae25f0b268353d6760c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 25 Nov 2021 15:15:14 +0100
Subject: [PATCH] Fix tailoring
Fixes an error during installation caused during tailoring
Addressing:
dasbus.error.DBusError: Content evaluation and remediation with the oscap tool failed: OpenSCAP Error: Unable to open file: '/tmp/openscap_data/usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml' [/builddir/build/BUILD/openscap-1.3.5/src/source/oscap_source.c:288]
This is proabably a typo coming from 87509fb6ee22b6eeaa66ea4ae85ebf5abd353e14
which is only in rhel9-branch.
---
org_fedora_oscap/service/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index 4237a47..65da08b 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -221,7 +221,7 @@ def install_with_tasks(self):
sysroot=conf.target.system_root,
policy_data=self.policy_data,
target_content_path=common.get_postinst_content_path(self.policy_data),
- target_tailoring_path=common.get_preinst_tailoring_path(self.policy_data)
+ target_tailoring_path=common.get_postinst_tailoring_path(self.policy_data)
)
]

32
SOURCES/oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch Normal file
View File

@ -0,0 +1,32 @@
From 2fbde88c29210c48083bd4840661d2af2d00ae69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Jul 2023 17:10:41 +0200
Subject: [PATCH] Make tar extraction safer on RHEL9
See also https://bugzilla.redhat.com/show_bug.cgi?id=2218875
---
org_fedora_oscap/common.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index eeb27fc..77d24c1 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -392,7 +392,7 @@ def extract_data(archive, out_dir, ensure_has_files=None):
raise ExtractionError(msg)
utils.ensure_dir_exists(out_dir)
- zfile.extractall(path=out_dir)
+ zfile.extractall(path=out_dir, filter="data")
result = [utils.join_paths(out_dir, info.filename) for info in zfile.filelist]
zfile.close()
elif archive.endswith(".tar"):
@@ -450,7 +450,7 @@ def _extract_tarball(archive, out_dir, ensure_has_files, alg):
raise ExtractionError(msg)
utils.ensure_dir_exists(out_dir)
- tfile.extractall(path=out_dir)
+ tfile.extractall(path=out_dir, filter="data")
result = [utils.join_paths(out_dir, member.path) for member in tfile.getmembers()]
tfile.close()

460
SOURCES/oscap-anaconda-addon-2.0.1-various_bugfixes-PR_166.patch Normal file
View File

@ -0,0 +1,460 @@
From aeb0e2ed5a524c5d4e5b72b2b11ea74a5119d45a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:23:17 +0200
Subject: [PATCH 1/3] Improve logging
Make all log entries identifiable easily.
---
org_fedora_oscap/common.py | 4 ++--
org_fedora_oscap/content_discovery.py | 16 +++++++++++-----
org_fedora_oscap/gui/spokes/oscap.py | 19 ++++++++++++-------
org_fedora_oscap/rule_handling.py | 8 ++++----
org_fedora_oscap/service/installation.py | 6 +++---
org_fedora_oscap/service/kickstart.py | 2 +-
org_fedora_oscap/service/oscap.py | 12 ++++++------
7 files changed, 39 insertions(+), 28 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index a307baa..c432168 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -564,7 +564,7 @@ def get_content_name(data):
def get_raw_preinst_content_path(data):
"""Path to the raw (unextracted, ...) pre-installation content file"""
if data.content_type == "scap-security-guide":
- log.debug("Using scap-security-guide, no single content file")
+ log.debug("OSCAP addon: Using scap-security-guide, no single content file")
return None
content_name = get_content_name(data)
@@ -667,7 +667,7 @@ def set_packages_data(data: PackagesConfigurationData):
payload_proxy = get_payload_proxy()
if payload_proxy.Type != PAYLOAD_TYPE_DNF:
- log.debug("The payload doesn't support packages.")
+ log.debug("OSCAP addon: The payload doesn't support packages.")
return
return payload_proxy.SetPackages(
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 894f3e1..bc14ef1 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -98,7 +98,7 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
def _fetch_files(self, scheme, path, destdir, ca_certs_path, what_if_fail):
with self.activity_lock:
if self.now_fetching_or_processing:
- msg = "Strange, it seems that we are already fetching something."
+ msg = "OSCAP Addon: Strange, it seems that we are already fetching something."
log.warn(msg)
return
self.now_fetching_or_processing = True
@@ -175,7 +175,7 @@ def finish_content_fetch(self, fetching_thread_name, fingerprint, report_callbac
def _verify_fingerprint(self, dest_filename, fingerprint=""):
if not fingerprint:
- log.info("No fingerprint provided, skipping integrity check")
+ log.info("OSCAP Addon: No fingerprint provided, skipping integrity check")
return
hash_obj = utils.get_hashing_algorithm(fingerprint)
@@ -183,15 +183,19 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
hash_obj)
if digest != fingerprint:
log.error(
+ "OSCAP Addon: "
f"File {dest_filename} failed integrity check - assumed a "
f"{hash_obj.name} hash and '{fingerprint}', got '{digest}'"
)
- msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
+ msg = _(f"OSCAP Addon: Integrity check of the content failed - {hash_obj.name} hash didn't match")
raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
- threadMgr.wait(wait_for)
+ if wait_for:
+ log.info(f"OSCAP Addon: Waiting for thread {wait_for}")
+ threadMgr.wait(wait_for)
+ log.info(f"OSCAP Addon: Finished waiting for thread {wait_for}")
actually_fetched_content = wait_for is not None
if fingerprint and dest_filename:
@@ -201,6 +205,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content = ObtainedContent(self.CONTENT_DOWNLOAD_LOCATION)
content_type = self.get_content_type(str(dest_filename))
+ log.info(f"OSCAP Addon: started to look at the content")
if content_type in ("archive", "rpm"):
structured_content.add_content_archive(dest_filename)
@@ -211,6 +216,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if fingerprint and dest_filename:
structured_content.record_verification(dest_filename)
+ log.info(f"OSCAP Addon: finished looking at the content")
return structured_content
def _gather_available_files(self, actually_fetched_content, dest_filename):
@@ -232,7 +238,7 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
)
except common.ExtractionError as err:
msg = f"Failed to extract the '{dest_filename}' archive: {str(err)}"
- log.error(msg)
+ log.error("OSCAP Addon: " + msg)
raise err
elif content_type == "file":
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 76e508f..332e956 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -331,6 +331,7 @@ def initialize(self):
# if no content was specified and SSG is available, use it
if not self._policy_data.content_type and common.ssg_available():
+ log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
@@ -351,7 +352,7 @@ def initialize(self):
self._fetch_data_and_initialize()
def _handle_error(self, exception):
- log.error(str(exception))
+ log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
self._invalid_url()
elif isinstance(exception, common.OSCAPaddonNetworkError):
@@ -365,7 +366,7 @@ def _handle_error(self, exception):
elif isinstance(exception, content_handling.ContentCheckError):
self._integrity_check_failed()
else:
- log.exception("Unknown exception occurred", exc_info=exception)
+ log.exception("OSCAP Addon: Unknown exception occurred", exc_info=exception)
self._general_content_problem()
def _render_selected(self, column, renderer, model, itr, user_data=None):
@@ -385,6 +386,7 @@ def _fetch_data_and_initialize(self):
thread_name = None
if self._policy_data.content_url and self._policy_data.content_type != "scap-security-guide":
+ log.info(f"OSCAP Addon: Actually fetching content from somewhere")
thread_name = self.content_bringer.fetch_content(
self._handle_error, self._policy_data.certificates)
@@ -442,7 +444,7 @@ def update_progress_label(msg):
msg += f" with tailoring {preinst_tailoring_path}"
else:
msg += " without considering tailoring"
- log.info(msg)
+ log.info("OSCAP Addon: " + msg)
self._content_handler = scap_content_handler.SCAPContentHandler(
preinst_content_path,
@@ -456,7 +458,7 @@ def update_progress_label(msg):
return
- log.info("OAA: Done with analysis")
+ log.info("OSCAP Addon: Done with analysis")
self._ds_checklists = self._content_handler.get_data_streams_checklists()
if self._using_ds:
@@ -592,7 +594,7 @@ def _update_profiles_store(self):
try:
profiles = self._content_handler.get_profiles()
except scap_content_handler.SCAPContentHandlerError as e:
- log.warning(str(e))
+ log.warning("OSCAP Addon: " + str(e))
self._invalid_content()
for profile in profiles:
@@ -736,7 +738,7 @@ def _select_profile(self, profile_id):
ds, xccdf, common.get_preinst_tailoring_path(self._policy_data))
except common.OSCAPaddonError as exc:
log.error(
- "Failed to get rules for the profile '{}': {}"
+ "OSCAP Addon: Failed to get rules for the profile '{}': {}"
.format(profile_id, str(exc)))
self._set_error(
"Failed to get rules for the profile '{}'"
@@ -908,6 +910,7 @@ def refresh(self):
def _refresh_ui(self):
"""Refresh the UI elements."""
if not self._content_defined:
+ log.info("OSCAP Addon: Content not defined")
# hide the control buttons
really_hide(self._control_buttons)
@@ -1156,7 +1159,9 @@ def on_fetch_button_clicked(self, *args):
with self._fetch_flag_lock:
if self._fetching:
# some other fetching/pre-processing running, give up
- log.warn("Clicked the fetch button, although the GUI is in the fetching mode.")
+ log.warn(
+ "OSCAP Addon: "
+ "Clicked the fetch button, although the GUI is in the fetching mode.")
return
# prevent user from changing the URL in the meantime
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index c478aa0..244aac8 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -261,7 +261,7 @@ def new_rule(self, rule):
try:
actions[first_word](rule)
except (ModifiedOptionParserException, KeyError) as e:
- log.warning("Unknown OSCAP Addon rule '{}': {}".format(rule, e))
+ log.warning("OSCAP Addon: Unknown OSCAP Addon rule '{}': {}".format(rule, e))
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
@@ -565,7 +565,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
# root password set
if users_proxy.IsRootPasswordCrypted:
msg = _("cannot check root password length (password is crypted)")
- log.warning("cannot check root password length (password is crypted)")
+ log.warning("OSCAP Addon: cannot check root password length (password is crypted)")
return [RuleMessage(self.__class__,
common.MESSAGE_TYPE_WARNING, msg)]
elif len(users_proxy.RootPassword) < self._minlen:
@@ -880,7 +880,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
kdump_proxy.KdumpEnabled = self._kdump_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping kdump configuration")
return messages
@@ -894,7 +894,7 @@ def revert_changes(self, ksdata, storage):
if self._kdump_enabled is not None:
kdump_proxy.KdumpEnabled = self._kdump_default_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping reverting kdump configuration")
self._kdump_enabled = None
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index e3a1d0f..2da8559 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -28,14 +28,14 @@
from org_fedora_oscap.content_handling import ContentCheckError
from org_fedora_oscap import content_discovery
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
REQUIRED_PACKAGES = ("openscap", "openscap-scanner",)
def _handle_error(exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error("OSCAP Addon: Failed to fetch and initialize SCAP content!")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")
@@ -87,7 +87,7 @@ def run(self):
content = self.content_bringer.finish_content_fetch(
fetching_thread_name, self._policy_data.fingerprint,
- lambda msg: log.info(msg), content_dest, _handle_error)
+ lambda msg: log.info("OSCAP Addon: " + msg), content_dest, _handle_error)
if not content:
# this shouldn't happen because error handling is supposed to
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index 341c6c5..d6f22ac 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -25,7 +25,7 @@
from org_fedora_oscap import common, utils
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPKickstartSpecification"]
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index d491060..4237a47 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -34,7 +34,7 @@
from org_fedora_oscap.service.oscap_interface import OSCAPInterface
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPService"]
@@ -71,7 +71,7 @@ def policy_enabled(self, value):
"""
self._policy_enabled = value
self.policy_enabled_changed.emit()
- log.debug("Policy enabled is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy enabled is set to '%s'.", value)
@property
def policy_data(self):
@@ -89,7 +89,7 @@ def policy_data(self, value):
"""
self._policy_data = value
self.policy_data_changed.emit()
- log.debug("Policy data is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy data is set to '%s'.", value)
@property
def installation_enabled(self):
@@ -150,7 +150,7 @@ def collect_requirements(self):
:return: a list of requirements
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the requirements.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the requirements.")
return []
requirements = [
@@ -180,7 +180,7 @@ def configure_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the configuration.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the configuration.")
return []
tasks = [
@@ -205,7 +205,7 @@ def install_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the installation.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the installation.")
return []
tasks = [
From b081e32012b93177167d3f7d0cc2024deb50e965 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:24:15 +0200
Subject: [PATCH 2/3] Save addon data when using local content
Addon loads its data from the shared storage upon refresh,
which caused it to overwrite clicking on the "use SSG content" button.
Now the data is saved after clicking that button, and convenience
load/save methods were introduced.
---
org_fedora_oscap/gui/spokes/oscap.py | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 332e956..4425757 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -232,11 +232,8 @@ def __init__(self, data, storage, payload):
# the proxy to OSCAP DBus module
self._oscap_module = OSCAP.get_proxy()
- # the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- self._policy_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
+ self._policy_data = PolicyData()
+ self._load_policy_data()
# used for changing profiles
self._rule_data = None
@@ -334,6 +331,7 @@ def initialize(self):
log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
+ self._save_policy_data()
if not self._content_defined:
# nothing more to be done now, the spoke is ready
@@ -351,6 +349,16 @@ def initialize(self):
# else fetch data
self._fetch_data_and_initialize()
+ def _save_policy_data(self):
+ self._oscap_module.PolicyData = PolicyData.to_structure(self._policy_data)
+ self._oscap_module.PolicyEnabled = self._policy_enabled
+
+ def _load_policy_data(self):
+ self._policy_data.update_from(PolicyData.from_structure(
+ self._oscap_module.PolicyData
+ ))
+ self._policy_enabled = self._oscap_module.PolicyEnabled
+
def _handle_error(self, exception):
log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
@@ -897,13 +905,7 @@ def refresh(self):
:see: pyanaconda.ui.common.UIObject.refresh
"""
- # update the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- fresh_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
-
- self._policy_data.update_from(fresh_data)
+ self._load_policy_data()
# update the UI elements
self._refresh_ui()
@@ -1202,4 +1204,5 @@ def on_change_content_clicked(self, *args):
def on_use_ssg_clicked(self, *args):
self.content_bringer.use_system_content()
+ self._save_policy_data()
self._fetch_data_and_initialize()
From fee170f54aeb9f649ab891781532012a7b069f8f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH 3/3] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989434
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

142
SOURCES/oscap-anaconda-addon-1.3.0-better_archive_handling-PR_220.patch → SOURCES/oscap-anaconda-addon-2.1.0-archive_handling-PR_224.patch
View File

@ -1,4 +1,4 @@
From e8e303aa3ca9db564ea52258de15a81851c3b265 Mon Sep 17 00:00:00 2001
From a1b983b4b5f8e49daa978aec6f9d28ba6dcea20c Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:37:04 +0200
Subject: [PATCH 1/5] Add capability to preselect content from archives
@ -13,20 +13,20 @@ and that they have precedence over other files.
create mode 100644 tests/test_content_discovery.py
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 5fc7343..f654449 100644
index ccfe6c8..9ef144e 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -11,6 +11,7 @@
@@ -12,6 +12,7 @@
from org_fedora_oscap import data_fetch, utils
from org_fedora_oscap import common
from org_fedora_oscap import content_handling
+from org_fedora_oscap.content_handling import CONTENT_TYPES
from org_fedora_oscap import rule_handling
from org_fedora_oscap.common import _
@@ -167,6 +168,38 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
@@ -191,6 +192,38 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
+ def filter_discovered_content(self, labelled_files):
+ expected_path = self._addon_data.content_path
@ -61,9 +61,9 @@ index 5fc7343..f654449 100644
+ return reduced_files
+
def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
threadMgr.wait(wait_for)
actually_fetched_content = wait_for is not None
@@ -182,6 +215,8 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if wait_for:
log.info(f"OSCAP Addon: Waiting for thread {wait_for}")
@@ -210,6 +243,8 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content.add_content_archive(dest_filename)
labelled_files = content_handling.identify_files(fpaths)
@ -127,7 +127,7 @@ index 0000000..5463c9a
+ reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
+ assert reduced == labelled_files
From 82c1950903fcce079cd71f021c1fde25f75f9521 Mon Sep 17 00:00:00 2001
From 2a536a8ec4cdf20e4f19e8175898b7ace3fc7ca4 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:40:11 +0200
Subject: [PATCH 2/5] Handle changes in content identification
@ -140,7 +140,7 @@ content much more gracefully.
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index f654449..b20f3a6 100644
index 9ef144e..9ed643b 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -2,6 +2,7 @@
@ -149,9 +149,9 @@ index f654449..b20f3a6 100644
import shutil
+import os
from glob import glob
from typing import List
from pyanaconda.core import constants
@@ -214,11 +215,15 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
@@ -242,11 +243,15 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if content_type in ("archive", "rpm"):
structured_content.add_content_archive(dest_filename)
@ -188,7 +188,7 @@ index 65d5a28..3e2ecae 100644
except OSError:
# 'oscap info' exitted with a non-zero exit code -> unknown doc
From b6bf5a6c96f5dbbd78043455802ebc0033cf1a6a Mon Sep 17 00:00:00 2001
From 17f80b71d17ce5a2bdbed87730133cdabec2e22b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:38:51 +0200
Subject: [PATCH 3/5] Remove unused code
@ -247,7 +247,7 @@ index 3e2ecae..5096bab 100644
- files = ContentFiles(xccdf_file, cpe_file, tailoring_file)
- return files
From a990568ccddb2864c8daeae91fdc1f6588b3c6f3 Mon Sep 17 00:00:00 2001
From 3aff547e2689a1ede4236c9166b11c99f272e3f7 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 13 Oct 2022 14:11:25 +0200
Subject: [PATCH 4/5] Dont use tailoring if it is not expected
@ -259,12 +259,12 @@ Compulsive usage of tailoring may be unwanted.
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index b20f3a6..e9cf34a 100644
index 9ed643b..4235af7 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -169,16 +169,25 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
@@ -193,16 +193,25 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
+ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
+ expected_tailoring = self._addon_data.tailoring_path
@ -293,39 +293,65 @@ index b20f3a6..e9cf34a 100644
expected_path = self._addon_data.cpe_path
categories = (CONTENT_TYPES["CPE_DICT"], )
From c4cb296ca3838a0967c8258b9ed5221691884a36 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 8 Nov 2022 10:46:59 +0100
From 56d8e497e0a4c394784b1c950bd1a148a6dc42ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 10 Nov 2022 12:46:46 +0100
Subject: [PATCH 5/5] Make the content RPM installation robust
If a package manager fails to install the package,
use the rpm command directly and skip deps.
---
org_fedora_oscap/ks/oscap.py | 41 ++++++++++++++++++++++++++++--------
1 file changed, 32 insertions(+), 9 deletions(-)
org_fedora_oscap/service/installation.py | 48 +++++++++++++++++-------
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index e47d6ba..dac273d 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -23,6 +23,7 @@
import shutil
import re
import os
+import io
import time
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index 255b992..f667479 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -18,6 +18,7 @@
import logging
import pathlib
@@ -473,6 +474,33 @@ def setup(self, storage, ksdata, payload):
if pkg not in ksdata.packages.packageList:
ksdata.packages.packageList.append(pkg)
import os
import shutil
+import io
+ def _attempt_rpm_installation(self):
from pyanaconda.core import util
from pyanaconda.modules.common.task import Task
@@ -198,21 +199,11 @@ def run(self):
elif self._policy_data.content_type == "datastream":
shutil.copy2(self._content_path, target_content_dir)
elif self._policy_data.content_type == "rpm":
- # copy the RPM to the target system
- shutil.copy2(self._file_path, target_content_dir)
+ try:
+ self._copy_rpm_to_target_and_install(target_content_dir)
- # get the path of the RPM
- content_name = common.get_content_name(self._policy_data)
- package_path = utils.join_paths(self._target_directory, content_name)
-
- # and install it with yum
- ret = util.execInSysroot(
- "yum", ["-y", "--nogpg", "install", package_path]
- )
-
- if ret != 0:
- msg = _(f"Failed to install content RPM to the target system.")
- terminate(msg)
+ except Exception as exc:
+ terminate(str(exc))
return
else:
pattern = utils.join_paths(common.INSTALLATION_CONTENT_DIR, "*")
@@ -221,6 +212,35 @@ def run(self):
if os.path.exists(self._tailoring_path):
shutil.copy2(self._tailoring_path, target_content_dir)
+ def _attempt_rpm_installation(self, chroot_package_path):
+ log.info("OSCAP addon: Installing the security content RPM to the installed system.")
+ stdout = io.StringIO()
+ ret = util.execWithRedirect(
+ "yum", ["-y", "--nogpg", "install", self.raw_postinst_content_path],
+ stdout=stdout, root=conf.target.system_root)
+ "dnf", ["-y", "--nogpg", "install", chroot_package_path],
+ stdout=stdout, root=self._sysroot)
+ stdout.seek(0)
+ if ret != 0:
+ log.error(
@ -334,8 +360,8 @@ index e47d6ba..dac273d 100644
+
+ stdout = io.StringIO()
+ ret = util.execWithRedirect(
+ "rpm", ["--install", "--nodeps", self.raw_postinst_content_path],
+ stdout=stdout, root=conf.target.system_root)
+ "rpm", ["--install", "--nodeps", chroot_package_path],
+ stdout=stdout, root=self._sysroot)
+ if ret != 0:
+ log.error(
+ "OSCAP addon: Error installing security content RPM using rpm: {0}",
@ -344,29 +370,11 @@ index e47d6ba..dac273d 100644
+ raise RuntimeError(msg)
+
+ def _copy_rpm_to_target_and_install(self, target_content_dir):
+ shutil.copy2(self.raw_preinst_content_path, target_content_dir)
+ self._attempt_rpm_installation()
+ shutil.copy2(self._file_path, target_content_dir)
+ content_name = common.get_content_name(self._policy_data)
+ chroot_package_path = utils.join_paths(self._target_directory, content_name)
+ self._attempt_rpm_installation(chroot_package_path)
+
def execute(self, storage, ksdata, users, payload):
"""
The execute method that should make changes to the installed system. It
@@ -507,15 +535,10 @@ def execute(self, storage, ksdata, users, payload):
if self.content_type == "datastream":
shutil.copy2(self.preinst_content_path, target_content_dir)
elif self.content_type == "rpm":
- # copy the RPM to the target system
- shutil.copy2(self.raw_preinst_content_path, target_content_dir)
-
- # and install it with yum
- ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
- self.raw_postinst_content_path])
- if ret != 0:
- msg = _(f"Failed to install content RPM to the target system.")
- self._terminate(msg)
+ try:
+ self._copy_rpm_to_target_and_install(target_content_dir)
+ except Exception as exc:
+ self._terminate(str(exc))
return
elif self.content_type == "scap-security-guide":
# nothing needed
class RemediateSystemTask(Task):
"""The installation task for running the remediation."""

22
SOURCES/oscap-anaconda-addon-1.3.0-clicking_nocrash-PR_221.patch → SOURCES/oscap-anaconda-addon-2.1.0-clicking_fix-PR_223.patch
View File

@ -1,4 +1,4 @@
From 55cc3b685dd5a9ca6059459f41876dd9f19f900d Mon Sep 17 00:00:00 2001
From 99fc53d3691b24c6724c1cf3e7281c181b31cf45 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 11 Oct 2022 17:07:28 +0200
Subject: [PATCH 1/2] Remove redundant message
@ -10,19 +10,19 @@ could aim to accomplish.
1 file changed, 1 deletion(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index c57b1cd..4f8702a 100644
index 6d0aa5c..37b9681 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -150,7 +150,6 @@ def decorated(self, *args, **kwargs):
@@ -151,7 +151,6 @@ def decorated(self, *args, **kwargs):
self._ready = True
# pylint: disable-msg=E1101
hubQ.send_ready(self.__class__.__name__, True)
hubQ.send_ready(self.__class__.__name__)
- hubQ.send_message(self.__class__.__name__, self.status)
return ret
From 3f7c560947a17d1696899857e70ebcc8cba44019 Mon Sep 17 00:00:00 2001
From 24787f02e80162129256dc57dc3d491f00080370 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 13 Oct 2022 17:19:17 +0200
Subject: [PATCH 2/2] Increase robustness of fetching state detection
@ -35,10 +35,10 @@ whether well-known UI threads exist.
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 4f8702a..d8e6ce2 100644
index 37b9681..97c4553 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -363,11 +363,14 @@ def _render_selected(self, column, renderer, model, itr, user_data=None):
@@ -389,11 +389,14 @@ def _render_selected(self, column, renderer, model, itr, user_data=None):
else:
renderer.set_property("stock-id", None)
@ -54,7 +54,7 @@ index 4f8702a..d8e6ce2 100644
# prevent multiple fetches running simultaneously
return
self._fetching = True
@@ -894,7 +897,7 @@ def refresh(self):
@@ -940,7 +943,7 @@ def _refresh_ui(self):
# hide the progress box, no progress now
with self._fetch_flag_lock:
@ -63,12 +63,12 @@ index 4f8702a..d8e6ce2 100644
really_hide(self._progress_box)
self._content_url_entry.set_sensitive(True)
@@ -1117,7 +1120,7 @@ def on_fetch_button_clicked(self, *args):
@@ -1165,7 +1168,7 @@ def on_fetch_button_clicked(self, *args):
"""Handler for the Fetch button"""
with self._fetch_flag_lock:
- if self._fetching:
+ if self._still_fetching():
# some other fetching/pre-processing running, give up
log.warn("Clicked the fetch button, although the GUI is in the fetching mode.")
return
log.warn(
"OSCAP Addon: "

189
SOURCES/oscap-anaconda-addon-1.3.0-fix_content_paths-PR_225.patch → SOURCES/oscap-anaconda-addon-2.1.0-content_paths-PR_227.patch
View File

@ -1,7 +1,7 @@
From 08d3da5640e5c16cda4e79cc13ac7921f1ebd964 Mon Sep 17 00:00:00 2001
From e2c47422b0ecfd561a8fe203b53e4a3831ae0ff7 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 15 Nov 2022 15:37:28 +0100
Subject: [PATCH 1/2] Fix handling of content paths
Date: Tue, 22 Nov 2022 11:45:11 +0100
Subject: [PATCH 1/3] Fix handling of content paths
Archives and ready-to-use content use paths differently.
@ -15,16 +15,16 @@ just makes the current code working at the expense of making it worse to
maintain.
---
org_fedora_oscap/content_discovery.py | 34 ++++++++++++++++++---------
org_fedora_oscap/ks/oscap.py | 6 ++++-
org_fedora_oscap/service/kickstart.py | 10 +++++++-
tests/test_content_discovery.py | 21 +++++++++++++++++
3 files changed, 49 insertions(+), 12 deletions(-)
3 files changed, 53 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index e9cf34a..2b71b1f 100644
index 4235af7..ebef618 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -25,6 +25,14 @@ def is_network(scheme):
for net_prefix in data_fetch.NET_URL_PREFIXES)
@@ -46,6 +46,14 @@ def clear_all(data):
data.dry_run = False
+def path_is_present_among_paths(path, paths):
@ -38,25 +38,25 @@ index e9cf34a..2b71b1f 100644
class ContentBringer:
CONTENT_DOWNLOAD_LOCATION = pathlib.Path(common.INSTALLATION_CONTENT_DIR)
DEFAULT_SSG_DATA_STREAM_PATH = f"{common.SSG_DIR}/{common.SSG_CONTENT}"
@@ -170,7 +178,7 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
raise content_handling.ContentCheckError(msg)
@@ -194,7 +202,7 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
log.info(f"Integrity check passed using {hash_obj.name} hash")
def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
- expected_tailoring = self._addon_data.tailoring_path
+ expected_tailoring = self._addon_data.preinst_tailoring_path
+ expected_tailoring = common.get_preinst_tailoring_path(self._addon_data)
tailoring_label = CONTENT_TYPES["TAILORING"]
if expected_tailoring:
labelled_files = self.reduce_files(labelled_files, expected_tailoring, [tailoring_label])
@@ -182,7 +190,7 @@ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
@@ -206,7 +214,7 @@ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
return labelled_files
def filter_discovered_content(self, labelled_files):
- expected_path = self._addon_data.content_path
+ expected_path = self._addon_data.preinst_content_path
+ expected_path = common.get_preinst_content_path(self._addon_data)
categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
if expected_path:
labelled_files = self.reduce_files(labelled_files, expected_path, categories)
@@ -198,7 +206,7 @@ def filter_discovered_content(self, labelled_files):
@@ -222,7 +230,7 @@ def filter_discovered_content(self, labelled_files):
def reduce_files(self, labelled_files, expected_path, categories):
reduced_files = dict()
@ -65,7 +65,7 @@ index e9cf34a..2b71b1f 100644
msg = (
f"Expected a file {expected_path} to be part of the supplied content, "
f"but it was not the case, got only {list(labelled_files.keys())}"
@@ -225,13 +233,9 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
@@ -253,13 +261,9 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content.add_content_archive(dest_filename)
labelled_filenames = content_handling.identify_files(fpaths)
@ -81,7 +81,7 @@ index e9cf34a..2b71b1f 100644
structured_content.add_file(str(fname), label)
if fingerprint and dest_filename:
@@ -274,11 +278,18 @@ def use_downloaded_content(self, content):
@@ -303,11 +307,18 @@ def use_downloaded_content(self, content):
# We know that we have ended up with a datastream-like content,
# but if we can't convert an archive to a datastream.
# self._addon_data.content_type = "datastream"
@ -101,8 +101,8 @@ index e9cf34a..2b71b1f 100644
+ self._addon_data.tailoring_path = str(preferred_tailoring)
def use_system_content(self, content=None):
self._addon_data.clear_all()
@@ -372,6 +383,7 @@ def _xccdf_content(self):
clear_all(self._addon_data)
@@ -403,6 +414,7 @@ def _xccdf_content(self):
def find_expected_usable_content(self, relative_expected_content_path):
content_path = self.root / relative_expected_content_path
@ -110,21 +110,32 @@ index e9cf34a..2b71b1f 100644
eligible_main_content = (self._datastream_content(), self._xccdf_content())
if content_path in eligible_main_content:
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index dac273d..7d4a131 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -179,7 +179,11 @@ def _parse_profile_id(self, value):
self.profile_id = value
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index ce049d1..6698978 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -17,6 +17,7 @@
#
import logging
import re
+import os
from pyanaconda.core.kickstart import KickstartSpecification
from pyanaconda.core.kickstart.addon import AddonData
@@ -146,7 +147,14 @@ def _parse_profile_id(self, value):
self.policy_data.profile_id = value
def _parse_content_path(self, value):
- # need to be checked?
+ if self.content_type in ("archive", "rpm") and os.path.isabs(self.content_path):
+ absolute_content_path_in_archive_like_file = (
+ self.policy_data.content_type in ("archive", "rpm")
+ and os.path.isabs(value))
+ if absolute_content_path_in_archive_like_file:
+ msg = (
+ "When using archives-like content input, the corresponding content path "
+ "has to be relative, but got '{self.content_path}'.")
+ "has to be relative, but got '{value}'.")
+ raise KickstartValueError(msg)
self.content_path = value
self.policy_data.content_path = value
def _parse_cpe_path(self, value):
diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
@ -161,10 +172,10 @@ index 5463c9a..d6e14d9 100644
+ for path in list_of_paths_not_in_list:
+ assert not tested_module.path_is_present_among_paths(path, list_of_paths)
From 786ec5d90d12a1321fbff86f5d8d4a534059ad22 Mon Sep 17 00:00:00 2001
From 9808e21ff4e6a4ce878d556f26cfddede04c870f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 16 Nov 2022 15:35:09 +0100
Subject: [PATCH 2/2] Compare paths according to their equivalence
Subject: [PATCH 2/3] Compare paths according to their equivalence
not according their arbitrary string form
---
@ -172,11 +183,11 @@ not according their arbitrary string form
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 2b71b1f..42c61e0 100644
index ebef618..9da44e7 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -25,10 +25,14 @@ def is_network(scheme):
for net_prefix in data_fetch.NET_URL_PREFIXES)
@@ -46,10 +46,14 @@ def clear_all(data):
data.dry_run = False
+def paths_are_equivalent(p1, p2):
@ -191,7 +202,7 @@ index 2b71b1f..42c61e0 100644
return True
return False
@@ -213,7 +217,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
@@ -237,7 +241,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
)
raise RuntimeError(msg)
for path, label in labelled_files.items():
@ -200,3 +211,115 @@ index 2b71b1f..42c61e0 100644
continue
reduced_files[path] = label
return reduced_files
From b422abba29a9304225c97e79945cf0f1a21de810 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 22 Nov 2022 15:44:13 +0100
Subject: [PATCH 3/3] Fix tests when relative content paths are enforced
---
org_fedora_oscap/content_discovery.py | 2 +-
org_fedora_oscap/service/installation.py | 7 ++++++-
tests/test_content_discovery.py | 3 ++-
tests/test_installation.py | 2 +-
tests/test_kickstart.py | 6 +++---
tests/test_service_kickstart.py | 19 +++++++++++++++----
6 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 9da44e7..61c4930 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -239,7 +239,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
f"Expected a file {expected_path} to be part of the supplied content, "
f"but it was not the case, got only {list(labelled_files.keys())}"
)
- raise RuntimeError(msg)
+ raise content_handling.ContentHandlingError(msg)
for path, label in labelled_files.items():
if label in categories and not paths_are_equivalent(path, expected_path):
continue
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index f667479..5ca102c 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -23,10 +23,11 @@
from pyanaconda.core import util
from pyanaconda.modules.common.task import Task
from pyanaconda.modules.common.errors.installation import NonCriticalInstallationError
+from pykickstart.errors import KickstartValueError
from org_fedora_oscap import common, data_fetch, rule_handling, utils
from org_fedora_oscap.common import _, get_packages_data, set_packages_data
-from org_fedora_oscap.content_handling import ContentCheckError
+from org_fedora_oscap.content_handling import ContentCheckError, ContentHandlingError
from org_fedora_oscap import content_discovery
log = logging.getLogger("anaconda")
@@ -48,6 +49,10 @@ def _handle_error(exception):
msg = _("There was an error fetching and loading the security content:\n" +
f"{str(exception)}")
terminate(msg)
+ elif isinstance(exception, ContentHandlingError):
+ msg = _("There was a problem with the supplied security content:\n" +
+ f"{str(exception)}")
+ terminate(msg)
else:
msg = _("There was an unexpected problem with the supplied content.")
diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
index d6e14d9..d664ede 100644
--- a/tests/test_content_discovery.py
+++ b/tests/test_content_discovery.py
@@ -3,6 +3,7 @@
import pytest
import org_fedora_oscap.content_discovery as tested_module
+from org_fedora_oscap import content_handling
@pytest.fixture
@@ -43,7 +44,7 @@ def test_reduce(labelled_files):
assert len(reduced) == len(labelled_files) - d_count - x_count + 1
assert "dir/XCCDF" in reduced
- with pytest.raises(RuntimeError, match="dir/datastream4"):
+ with pytest.raises(content_handling.ContentHandlingError, match="dir/datastream4"):
bringer.reduce_files(labelled_files, "dir/datastream4", ["D"])
reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
diff --git a/tests/test_installation.py b/tests/test_installation.py
index 302f5ed..2cf78db 100644
--- a/tests/test_installation.py
+++ b/tests/test_installation.py
@@ -76,7 +76,7 @@ def test_fetch_content_task(caplog, file_path, content_path):
assert task.name == "Fetch the content, and optionally perform check or archive extraction"
- with pytest.raises(NonCriticalInstallationError, match="Couldn't find a valid datastream"):
+ with pytest.raises(NonCriticalInstallationError, match="Expected a file"):
task.run()
diff --git a/tests/test_kickstart.py b/tests/test_kickstart.py
index d4cfda2..60fe63d 100644
--- a/tests/test_kickstart.py
+++ b/tests/test_kickstart.py
@@ -163,7 +163,7 @@ def test_rpm(service):
content-url = http://example.com/oscap_content.rpm
content-type = RPM
profile = Web Server
- xccdf-path = /usr/share/oscap/xccdf.xml
+ xccdf-path = usr/share/oscap/xccdf.xml
%end
"""
check_ks_input(service, ks_in)
@@ -198,7 +198,7 @@ def test_rpm_with_wrong_suffix(service):
content-url = http://example.com/oscap_content.xml
content-type = RPM
profile = Web Server
- xccdf-path = /usr/share/oscap/xccdf.xml
+ xccdf-path = usr/share/oscap/xccdf.xml
%end
"""
check_ks_input(service, ks_in, errors=[

52
SOURCES/oscap-anaconda-addon-2.1.0-unified_help-PR_192.patch Normal file
View File

@ -0,0 +1,52 @@
From 3d7a943969d542392134f55078eadb0793b094dc Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:03 +0200
Subject: [PATCH 1/2] Specify a unique screen id
All spokes and hubs should provide a unique id.
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index fe26076..44c7ced 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -204,6 +204,11 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @staticmethod
+ def get_screen_id():
+ """Return a unique id of this UI screen."""
+ return "security-policy-selection"
+
@classmethod
def should_run(cls, environment, data):
return is_module_available(OSCAP)
From ae9fdc9e6e189db215aeb39f2881311e5281587b Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:51 +0200
Subject: [PATCH 2/2] Remove the help_id attribute
The help_id attribute is no longer used. Specify a screen id
or redefine the help handler to provide the built-in help.
---
org_fedora_oscap/gui/spokes/oscap.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 44c7ced..6d0aa5c 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -185,9 +185,6 @@ class OSCAPSpoke(NormalSpoke):
# name of the .glade file in the same directory as this source
uiFile = "oscap.glade"
- # id of the help content for this spoke
- help_id = "SecurityPolicySpoke"
-
# domain of oscap-anaconda-addon translations
translationDomain = "oscap-anaconda-addon"

16
SOURCES/oscap-anaconda-addon-null-http_content_url-PR_232.patch → SOURCES/oscap-anaconda-addon-null-http_only_uri-PR_233.patch
View File

@ -1,4 +1,4 @@
From 58d4847dc4b55b9d4982be9505127679beca87c6 Mon Sep 17 00:00:00 2001
From 5e91b77a0e96b811d95b7fa48cfd8f645a5616eb Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 18 Jan 2023 16:36:36 +0100
Subject: [PATCH 1/2] Handle the URL with missing ://
@ -8,10 +8,10 @@ Subject: [PATCH 1/2] Handle the URL with missing ://
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 42c61e0..23fdafd 100644
index 61c4930..76959cd 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -67,9 +67,14 @@ def content_uri(self):
@@ -88,9 +88,14 @@ def content_uri(self):
@content_uri.setter
def content_uri(self, uri):
@ -29,7 +29,7 @@ index 42c61e0..23fdafd 100644
def fetch_content(self, what_if_fail, ca_certs_path=""):
"""
@@ -80,7 +85,10 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
@@ -101,7 +106,10 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
should handle them in the calling layer.
ca_certs_path: Path to the HTTPS certificate file
"""
@ -42,7 +42,7 @@ index 42c61e0..23fdafd 100644
self.CONTENT_DOWNLOAD_LOCATION.mkdir(parents=True, exist_ok=True)
fetching_thread_name = self._fetch_files(
From cbfdae4f43ade3ef982a967f3e2844e66db3f9a0 Mon Sep 17 00:00:00 2001
From 9588cb840d8c6193157e677decad843539bd2819 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 18 Jan 2023 16:36:53 +0100
Subject: [PATCH 2/2] Stop fetching when there is an invalid profile
@ -52,11 +52,11 @@ Subject: [PATCH 2/2] Stop fetching when there is an invalid profile
1 file changed, 2 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index d8e6ce2..54eae1e 100644
index 97c4553..7765fbf 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -469,6 +469,8 @@ def update_progress_label(msg):
if self._addon_data.profile_id and not selected:
@@ -505,6 +505,8 @@ def update_progress_label(msg):
if self._policy_data.profile_id and not selected:
# profile ID given, but it was impossible to select it -> invalid
# profile ID given
+ with self._fetch_flag_lock:

449
SPECS/oscap-anaconda-addon.spec
View File

@ -1,31 +1,41 @@
# Patch0 applies correctly but with mismatch and we dont't want backup file
%global _default_patch_flags --no-backup-if-mismatch
%if 0%{?rhel} == 8
%define anaconda_core_version 33
%endif
%if 0%{?rhel} == 9
%define anaconda_core_version 34
%endif
%if 0%{?fedora}
%define anaconda_core_version %{fedora}
%endif
Name: oscap-anaconda-addon
Version: 1.2.1
Release: 12%{?dist}
Version: 2.0.0
Release: 17%{?dist}
Summary: Anaconda addon integrating OpenSCAP to the installation process
License: GPLv2+
URL: https://github.com/OpenSCAP/oscap-anaconda-addon
# This is a Red Hat maintained package which is specific to
# our distribution.
#
# The source is thus available only from within this SRPM
# or via direct git checkout:
# git clone https://github.com/OpenSCAP/oscap-anaconda-addon.git
Source0: %{name}-%{version}.tar.gz
Source0: https://github.com/OpenSCAP/oscap-anaconda-addon/releases/download/r%{version}/%{name}-%{version}.tar.gz
# TODO: Remove when the fixed upstream release contains dbus service data
Source1: addon-dbus-data.zip
# Let the Patch1 be reserved for translations patches
Patch1: lang.patch
Patch2: oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch
Patch3: oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch
Patch4: oscap-anaconda-addon-1.2.2-absent_appstream-PR_184.patch
Patch5: oscap-anaconda-addon-1.3.0-better_archive_handling-PR_220.patch
Patch6: oscap-anaconda-addon-1.3.0-clicking_nocrash-PR_221.patch
Patch7: oscap-anaconda-addon-1.3.0-fix_content_paths-PR_225.patch
Patch8: oscap-anaconda-addon-null-http_content_url-PR_232.patch
Patch2: oscap-anaconda-addon-2.0.1-various_bugfixes-PR_166.patch
Patch3: oscap-anaconda-addon-2.0.1-fix_archive_handling-PR_170.patch
Patch4: oscap-anaconda-addon-2.0.1-fix_no_hardening-PR_176.patch
Patch5: oscap-anaconda-addon-2.0.1-fix_fingerprint-PR_177.patch
Patch6: oscap-anaconda-addon-2.0.1-rhel9_tailoring_fix-PR_180.patch
Patch7: oscap-anaconda-addon-1.2.2-dbus_show_integration-PR_182.patch
Patch8: oscap-anaconda-addon-2.1.0-unified_help-PR_192.patch
Patch9: oscap-anaconda-addon-2.0.1-absent_appstream-PR_185.patch
Patch10: oscap-anaconda-addon-2.0.1-fix_strings-PR_207.patch
Patch11: oscap-anaconda-addon-2.1.0-clicking_fix-PR_223.patch
Patch12: oscap-anaconda-addon-2.1.0-archive_handling-PR_224.patch
Patch13: oscap-anaconda-addon-2.1.0-content_paths-PR_227.patch
Patch14: oscap-anaconda-addon-null-http_only_uri-PR_233.patch
Patch15: oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch
Patch16: oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch
BuildArch: noarch
BuildRequires: make
@ -33,9 +43,8 @@ BuildRequires: gettext
BuildRequires: python3-devel
BuildRequires: python3-pycurl
BuildRequires: openscap openscap-utils openscap-python3
BuildRequires: anaconda-core >= 33
Requires: anaconda-core >= 33
Requires: python3-cpio
BuildRequires: anaconda-core >= %{anaconda_core_version}
Requires: anaconda-core >= %{anaconda_core_version}
Requires: python3-pycurl
Requires: python3-kickstart
Requires: openscap openscap-utils openscap-python3
@ -47,28 +56,12 @@ and allows installation of systems following restrictions given by a SCAP
content.
%prep
%setup -q -n %{name}-%{version}
# As patches may translates the strings that are updated by later patches,
# Patch1 needs to be aplied last.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
# NOTE CONCERNING TRANSLATION PATCHES
# When preparing translation patches, don't consider that some languages are unsupported -
# we aim to include all applicable translation texts to the appropriate patch.
# This has consulted with ljanda@redhat.com, and we basically follow the existing practice of the Anaconda project we integrate into.
%autosetup -p1
unzip %{_sourcedir}/addon-dbus-data.zip
%build
#%check
#make test
%check
%install
make install DESTDIR=%{buildroot}
@ -76,287 +69,203 @@ make install DESTDIR=%{buildroot}
%files -f %{name}.lang
%{_datadir}/anaconda/addons/org_fedora_oscap
%{_datadir}/anaconda/dbus/confs/org.fedoraproject.Anaconda.Addons.OSCAP.conf
%{_datadir}/anaconda/dbus/services/org.fedoraproject.Anaconda.Addons.OSCAP.service
%doc COPYING ChangeLog README.md
%changelog
* Wed Feb 08 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-12
* Wed Jul 19 2023 Jan Černý <jcerny@redhat.com> - 2.0.0-17
- Update translations (rhbz#2189526)
- Fix tar file extraction (rhbz#2218875)
- Fix conflict of tftp package with "network servers" group (rhbz#2172264)
* Wed Feb 08 2023 Matej Tyc <matyc@redhat.com> - 2.0.0-16
- Update translations
Resolves: rhbz#2139743
Resolves: rhbz#2139667
Resolves: rhbz#2150877
* Mon Jan 23 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-11
* Mon Jan 23 2023 Matej Tyc <matyc@redhat.com> - 2.0.0-15
- Fix a reaction to invalid content URI
Resolves: rhbz#2148509
Resolves: rhbz#2148508
* Wed Nov 23 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-10
* Fri Nov 25 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-14
- Fix regression introduced when fixing content archive input
Resolves: rhbz#2129008
* Thu Nov 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-9
* Fri Nov 11 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-13
- Fix problems with handling multi-datastream archives
Resolves: rhbz#2129008
Resolves: rhbz#2129846
- Fix a crash when compulsively clicking in the GUI
Resolves: rhbz#2000998
Resolves: rhbz#2127502
* Wed Jul 20 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-8
- Update translations
Resolves: rhbz#2062707
* Fri Jun 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-7
* Fri Jun 10 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-12
- Remove the firstboot remediation feature completely.
We can't have it, while maintaining the standard UX.
Resolves: rhbz#2063179
Resolves: rhbz#2065751
* Mon Mar 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-6
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-11
- Remove the redundant dependency on oscap-utils
Resolves: rhbz#2086822
* Wed May 18 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-10
- Fix strings, so they are translatable, and update translations
Resolves: rhbz#2081268
* Mon Mar 21 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-9
- Introduce the firstboot remediation
Resolves: rhbz#1834716
Resolves: rhbz#1999587
- Add better error handling of installation using unsupported installation sources
Resolves: rhbz#2007981
Resolves: rhbz#2042334
* Fri Jan 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-5
- Updated translations
Resolves: rhbz#2017356
* Mon Jan 24 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-8
- Introduce unified help support
Resolves: rhbz#2043512
- Update translations
Resolves: rhbz#2017374
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-4
- Updated translations
Resolves: rhbz#1962007
* Mon Dec 13 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-7
- Don't show the OSCAP spoke if the OSCAP DBus module is disabled
Resolves: rhbz#2018954
* Mon Aug 09 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-3
- Fix handling of archives with directories in GUI installs
- Resolves: rhbz#1691305
* Thu Nov 25 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-6
- Fix handling of tailoring in RHEL9
Resolves: rhbz#1996129
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-2
- Refactor content identification
- Resolves: rhbz#1989441
* Wed Nov 10 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-5
- Fix handling of content archives
Resolves: rhbz#1996129
- Fix handling of content fingerprint
Resolves: rhbz#1993065
- Fix crash when a previously selected hardening has been cancelled
Resolves: rhbz#2014108
- Pull latest translations
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-4
- Update translations
Resolves: rhbz#1962112
* Fri Jul 16 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-2
- Updated translations
- Resolves: rhbz#1938623
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Jun 25 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-2
- Fix issues with locally installed content and labelling of discovered content.
- Resolves: rhbz#1989434
* Mon Feb 15 2021 Matej Tyc <matyc@redhat.com> - 1.1.1-7
- Updated translations.
* Fri Jul 02 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-1
- Rebase to the 2.0.0 upstream release.
- Remove the cpio dependency which is not needed any more.
* Wed Nov 11 11:46:56 CET 2020 Matej Tyc <matyc@redhat.com> - 1.1.1-6
- Improved handling of conflicts between packages removed vs software wanted to be installed - rhbz#1892310
* Wed Jun 23 2021 Jan Černý <jcerny@redhat.com> - 1.0-11
- Rebuild after test config change in test.yml
* Tue Aug 18 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-5
- Fixed issues with encountering filenames with weird encoding during scans - rhbz#1867960
* Mon Jun 14 2021 Matej Tyc <matyc@redhat.com> - 1.0-10
- Unified the spec file with the Fedora one.
- Removed unwanted dependencies.
- nose is not needed for a long time.
- mock has been moved into the Python standard library, so it is also not needed.
* Thu Jul 09 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-4
- Fixed spoke window text: RHBZ#1855041
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0-9
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Jun 26 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-3
- Updated translations: RHBZ#1820557
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jun 22 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-2
- Fixed issues addressing combination of profiles and GUI-based software selections: RHBZ#1843932, RHBZ#1787156
- Improved handling of languages, capitalization: RHBZ#1696278
- Updated translations: RHBZ#1820557
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 02 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-1
- Rebase to upstream 1.1.1
- This OAA is compatible with the RHEL 8.3 Anaconda: RHBZ#1696278
- The UX has been improved: RHBZ#1781790
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 1.0-10
- Do not use capital letters for spoke title: RHBZ#1744185
- Updated translations
* Mon Aug 12 2019 Matěj Týč <matyc@redhat.com> - 1.0-5
- Disabled execution of tests, as they are not meant to be executed in the build environment.
* Wed Feb 13 2019 Matěj Týč <matyc@redhat.com> - 1.0-9
- Updated translations: RHBZ#1645924
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 08 2019 Watson Yuuma Sato <wsato@redhat.com> - 1.0-8
- Fixed translation of spoke title: RHBZ#1673044
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 18 2019 Matěj Týč <matyc@redhat.com> - 1.0-7
- Fixed bootloader-related Anaconda API usage: RHBZ#1664036
- Fixed root password-related Anaconda API usage: RHBZ#1665551
- Fixed checksum-related Python2->3 issue: RHBZ#1665147
* Thu Jan 17 2019 Matěj Týč <matyc@redhat.com> - 1.0-6
- Updated translations: RHBZ#1645924
* Mon Dec 17 2018 Matěj Týč <matyc@redhat.com> - 1.0-5
- Applied the HelpFile -> help_id patch
* Fri Dec 14 2018 Matěj Týč <matyc@redhat.com> - 1.0-4
- Updated translations: RHBZ#1608331, RHBZ#1645924
* Wed Oct 10 2018 Matěj Týč <matyc@redhat.com> - 1.0-3
- Updated to the latest Anaconda API: RHBZ#1637635
- Added updated translations: RHBZ#1608331
* Mon Oct 01 2018 Matěj Týč <matyc@redhat.com> - 1.0-2
- Added the missing pycurl dependency.
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 03 2018 Matěj Týč <matyc@redhat.com> - 1.0-1
- Rebased to upstream version 1.0
- Python3 support, anaconda 28 support.
* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.8-3
- Return empty string when there is no tailoring file
Resolves: rhbz#1520276
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7-7
- Escape macros in %%changelog
* Mon Dec 11 2017 Watson Sato <wsato@redhat.com> - 0.8-2
- Add japanese translation
- Update other translations
Resolves: rhbz#1481190
- Fix selection of RHEL datastream
Resolves: rhbz#1520358
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 27 2017 Watson Sato <wsato@redhat.com> - 0.8-1
- Rebase to the upstream version 0.8
Related: rhbz#1472419
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue May 30 2017 Watson Sato <wsato@redhat.com> - 0.7-15
- Add japanese translation
- Update other translations
Resolves: rhbz#1383181
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Apr 20 2017 Raphael Sanchez Prudencio <rsprudencio@redhat.com> - 0.7-14
- Fixed gtk warning messages when anaconda is starting.
Resolves: rhbz#1437106
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Mar 28 2017 Martin Preisler <mpreisle@redhat.com> - 0.7-13
- Avoid long delay before a GeoIP related timeout in case internet is not available
Resolves: rhbz#1379479
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Sep 13 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-12
- Properly handle tailoring files for datastreams
Resolves: rhbz#1364929
* Wed Jan 07 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-1
- Adapt to changes in Anaconda
- Define name of the spoke window
- Set fetching flag to False when extraction error happens
- Remove code that was pushed to the anaconda's sources
* Thu Aug 25 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-11
- Don't require blank stderr when running the oscap tool
Resolves: rhbz#1360765
- Beware of the invalid profiles
Resolves: rhbz#1365130
- Properly set the seen property for root passwords
Resolves: rhbz#1357603
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-2
- Rebuild with building issues fixed
* Thu Jun 30 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-10
- Clear spoke's info before setting an error
Resolves: rhbz#1349446
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-1
- Getting status needs to run in the main thread
- Grab focus for the URL entry after switching notebook page
- Clear rule data when unselecting profile
- Update message as part of the initialization
- Add BuildRequires: gettext
- Include translations in the tarball and RPM
* Wed Jun 1 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-9
- Use the System hub category provided by Anaconda
Resolves: rhbz#1269211
- Wait for Anaconda to settle before evaluation
Resolves: rhbz#1265552
- Make the changes overview scrollable and smaller
Related: rhbz#1263582
- Make the list of profiles scrollable
Resolves: rhbz#1263582
- Do not try to create a single file multiple times
Related: rhbz#1263315
- Avoid crashes on extraction errors
Resolves: rhbz#1263315
- Disable GPG checks when installing content to the system
Resolves: rhbz#1263216
- Allow fixing root password in graphical installations
Resolves: rhbz#1265116
- Enforce the minimal root password length
Resolves: rhbz#1238281
- Just report misconfiguration instead of crashing in text mode
Resolves: rhbz#1263207
- Do not verify SSL if inst.noverifyssl was given
Resolves: rhbz#1263257
- Also catch data_fetch.DataFetchError when trying to get content
Resolves: rhbz#1263239
- Use new method signature with payload class
Related: rhbz#1288636
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.5-1
- Allow users to change content
- Show and hide control buttons properly
- Fix sensitivity of the URL entry and fetch button
- Add the button allowing users to use SSG content if available
- Fix listing python sources when creating potfile and regenerate it
- Omit the %%addon section from kickstart in dry-run mode
- Implement the dry-run mode in the GUI (trac#2)
- Add UI elements for content changing and dry-run mode
- Check content_defined instead of content_url in the GUI code
- First select the profile, then update the message store
- Remove unused import
- Ignore some more temporary/backup files
- If no content is specified and SSG is available, use it
- New special content type -- SCAP Security Guide
- Fix name of the property used when doing fingerprint check
- Get rid of an unused variable
- Fix data fetch locking to work properly with kickstart installations
- Use 'anonymous:' if no username and password is given for FTP
- Initial version of the translations template file
- First steps to dry-run mode
- Fix main notebook tabs
- Make translations work
- Manipulation with the i18n related files
- If no profile is given, default to default
- Ignore updates.img and its auxiliary directory
- Catch only fetching errors from the fetching thread
- Do not allow multiple simultaneous fetches/initializations
- Prevent user from changing the URL while we try to fetch from it
- Add support for the Default profile
- Support FTP as a content source (#1050980)
- React properly on archive extraction failure
- Refactor the code pre-processing the fetched content
- Unify exceptions from archive extraction
- Make pylint check mandatory to pass
- Support for hash based content integrity checking
* Wed Sep 16 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-8
- Do not remove the root password behind user's back
Resolves: rhbz#1263254
* Mon Sep 7 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-7
- Completely skip the execute() part if no profile is selected
Resolves: rhbz#1254973
* Mon Aug 24 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-6
- Specify the name of the help content file
Resolves: rhbz#1254884
- Skip files unrecognized by the 'oscap info' command
Resolves: rhbz#1255075
- Only allow DS and XCCDF ID selection if it makes sense
Resolves: rhbz#1254876
* Tue Aug 4 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-5
- Make sure DS and XCCDF ID lists are correctly refreshed
Resolves: rhbz#1240946
- Make sure the DS and XCCDF ID combo boxes are visible for DS content
Resolves: rhbz#1249951
- Try to load the OSCAP session early for DS content
Resolves: rhbz#1247654
- Test preinst_content_path before raw_preinst_content_path
Resolves: rhbz#1249937
- Clear any error if switching to the dry-run mode
Related: rhbz#1247677
- Do not continue with and invalid profile ID
Resolves: rhbz#1247677
- Cover all potential places with a non-main thread changing Gtk stuff
Resolves: rhbz#1240967
* Thu Jul 23 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-4
- Better handle and report erroneous states
Resolves: rhbz#1241064
- Make sure (some more) GUI actions run in the main thread
Resolves: rhbz#1240967
- Beware of RPM->cpio entries' paths having absolute paths
Related: rhbz#1241064
- Only output the kickstart section with content and profile set
Resolves: rhbz#1241395
- Just report integrity check failure instead of traceback
Resolves: rhbz#1240710
- Properly react on download/loading issues in text+kickstart mode
Related: rhbz#1240710
- Fetch and process the content even if GUI doesn't take care of it
Resolves: rhbz#1240625
* Tue Jul 7 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-3
- Do not output redundant/invalid fields for the SSG content (vpodzime)
Resolves: rhbz#1240285
- Better handle unsupported URL types (vpodzime)
Resolves: rhbz#1232631
- React better on network issues (vpodzime)
Resolves: rhbz#1236657
- Improve the description of the default profile (vpodzime)
Resolves: rhbz#1238080
- Use the openscap-scanner package instead of openscap-utils (vpodzime)
Resolves: rhbz#1240249
- Better handle the case with no profile selected (vpodzime)
Resolves: rhbz#1235750
- Add newline and one blank line after the %%addon section (vpodzime)
Resolves: rhbz#1238267
- Word-wrap profile descriptions (vpodzime)
Resolves: rhbz#1236644
* Wed Jun 17 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-2
- Add gettext to BuildRequires (vpodzime)
Related: rhbz#1204640
* Tue Jun 16 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-1
- Rebase to the upstream version 0.7
Related: rhbz#1204640
* Tue Apr 28 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-1
- Rebase to the upstream version 0.6
Resolves: rhbz#1204640
* Mon Aug 04 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-3
- Don't distribute backup files
Resolves: rhbz#1065906
* Wed Jan 15 2014 Vratislav Podizmek <vpodzime@redhat.com> - 0.4-2
- Skip running tests on RHEL builds
Related: rhbz#1035662
* Tue Jan 14 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-1
- Beware of running Gtk actions from a non-main thread
- Fix path to the tailoring file when getting rules