257 lines
11 KiB
Diff
257 lines
11 KiB
Diff
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
|
|
index f712ac4..738465f 100644
|
|
--- a/org_fedora_oscap/rule_handling.py
|
|
+++ b/org_fedora_oscap/rule_handling.py
|
|
@@ -26,7 +26,13 @@
|
|
import optparse
|
|
import shlex
|
|
import logging
|
|
+
|
|
from pyanaconda.pwpolicy import F22_PwPolicyData
|
|
+from pyanaconda.core.constants import (
|
|
+ FIREWALL_ENABLED, FIREWALL_DISABLED, FIREWALL_USE_SYSTEM_DEFAULTS)
|
|
+from pyanaconda.modules.common.constants.objects import FIREWALL, BOOTLOADER
|
|
+from pyanaconda.modules.common.constants.services import NETWORK, STORAGE, USERS
|
|
+
|
|
from org_fedora_oscap import common
|
|
from org_fedora_oscap.common import OSCAPaddonError, RuleMessage
|
|
|
|
@@ -496,7 +502,10 @@ def eval_rules(self, ksdata, storage, report_only=False):
|
|
return []
|
|
|
|
ret = []
|
|
- if not ksdata.rootpw.password:
|
|
+
|
|
+ users_proxy = USERS.get_proxy()
|
|
+
|
|
+ if not users_proxy.IsRootPasswordSet:
|
|
# root password was not set
|
|
|
|
msg = _("make sure to create password with minimal length of %d "
|
|
@@ -505,12 +514,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
|
|
common.MESSAGE_TYPE_WARNING, msg)]
|
|
else:
|
|
# root password set
|
|
- if ksdata.rootpw.isCrypted:
|
|
+ if users_proxy.IsRootPasswordCrypted:
|
|
msg = _("cannot check root password length (password is crypted)")
|
|
log.warning("cannot check root password length (password is crypted)")
|
|
return [RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_WARNING, msg)]
|
|
- elif len(ksdata.rootpw.password) < self._minlen:
|
|
+ elif len(users_proxy.RootPassword) < self._minlen:
|
|
# too short
|
|
msg = _("root password is too short, a longer one with at "
|
|
"least %d characters is required") % self._minlen
|
|
@@ -705,10 +714,13 @@ def __str__(self):
|
|
def eval_rules(self, ksdata, storage, report_only=False):
|
|
""":see: RuleHandler.eval_rules"""
|
|
|
|
- if self._require_password and not storage.bootloader.password:
|
|
- # Anaconda doesn't provide a way to set bootloader password, so
|
|
- # users cannot do much about that --> we shouldn't stop the
|
|
- # installation, should we?
|
|
+ bootloader_proxy = STORAGE.get_proxy(BOOTLOADER)
|
|
+
|
|
+ if self._require_password and not bootloader_proxy.password_is_set:
|
|
+ # TODO: Anaconda provides a way to set bootloader password:
|
|
+ # bootloader_proxy.set_password(...)
|
|
+ # We don't support setting the bootloader password yet,
|
|
+ # but we shouldn't stop the installation, just because of that.
|
|
return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
|
|
"boot loader password not set up")]
|
|
else:
|
|
@@ -802,8 +814,13 @@ def __init__(self):
|
|
self._added_trusts = set()
|
|
self._removed_svcs = set()
|
|
|
|
+ self._new_services_to_add = set()
|
|
+ self._new_ports_to_add = set()
|
|
+ self._new_trusts_to_add = set()
|
|
+ self._new_services_to_remove = set()
|
|
+
|
|
self._firewall_enabled = None
|
|
- self._firewall_default_enabled = None
|
|
+ self._firewall_default_state = None
|
|
|
|
def add_services(self, services):
|
|
"""
|
|
@@ -895,25 +912,26 @@ def __str__(self):
|
|
def eval_rules(self, ksdata, storage, report_only=False):
|
|
""":see: RuleHandler.eval_rules"""
|
|
|
|
+ firewall_proxy = NETWORK.get_proxy(FIREWALL)
|
|
messages = []
|
|
|
|
- if self._firewall_default_enabled is None:
|
|
+ if self._firewall_default_state is None:
|
|
# firewall default startup setting
|
|
- self._firewall_default_enabled = ksdata.firewall.enabled
|
|
+ self._firewall_default_state = firewall_proxy.FirewallMode
|
|
|
|
if self._firewall_enabled is False:
|
|
msg = _("Firewall will be disabled on startup")
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
if not report_only:
|
|
- ksdata.firewall.enabled = self._firewall_enabled
|
|
+ firewall_proxy.SetFirewallMode(FIREWALL_DISABLED)
|
|
|
|
elif self._firewall_enabled is True:
|
|
msg = _("Firewall will be enabled on startup")
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
if not report_only:
|
|
- ksdata.firewall.enabled = self._firewall_enabled
|
|
+ firewall_proxy.SetFirewallMode(FIREWALL_ENABLED)
|
|
|
|
# add messages for the already added services
|
|
for svc in self._added_svcs:
|
|
@@ -937,49 +955,58 @@ def eval_rules(self, ksdata, storage, report_only=False):
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
|
|
# services, that should be added
|
|
- services_to_add = (svc for svc in self._add_svcs
|
|
- if svc not in ksdata.firewall.services)
|
|
+ self._new_services_to_add = {
|
|
+ svc for svc in self._add_svcs
|
|
+ if svc not in firewall_proxy.EnabledServices}
|
|
|
|
# ports, that should be added
|
|
- ports_to_add = (ports for ports in self._add_ports
|
|
- if ports not in ksdata.firewall.ports)
|
|
+ self._new_ports_to_add = {
|
|
+ ports for ports in self._add_ports
|
|
+ if ports not in firewall_proxy.EnabledPorts}
|
|
|
|
# trusts, that should be added
|
|
- trusts_to_add = (trust for trust in self._add_trusts
|
|
- if trust not in ksdata.firewall.trusts)
|
|
+ self._new_trusts_to_add = {
|
|
+ trust for trust in self._add_trusts
|
|
+ if trust not in firewall_proxy.Trusts}
|
|
|
|
- for svc in services_to_add:
|
|
+ for svc in self._new_services_to_add:
|
|
# add the service unless already added
|
|
if not report_only:
|
|
self._added_svcs.add(svc)
|
|
- ksdata.firewall.services.append(svc)
|
|
|
|
msg = _("service '%s' has been added to the list of services to be "
|
|
"added to the firewall" % svc)
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
+ if not report_only:
|
|
+ all_services = list(self._add_svcs.union(set(firewall_proxy.EnabledServices)))
|
|
+ firewall_proxy.SetEnabledServices(all_services)
|
|
|
|
- for port in ports_to_add:
|
|
+ for port in self._new_ports_to_add:
|
|
# add the port unless already added
|
|
if not report_only:
|
|
self._added_ports.add(port)
|
|
- ksdata.firewall.ports.append(port)
|
|
|
|
msg = _("port '%s' has been added to the list of ports to be "
|
|
"added to the firewall" % port)
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
+ if not report_only:
|
|
+ all_ports = list(self._add_ports.union(set(firewall_proxy.EnabledPorts)))
|
|
+ firewall_proxy.SetEnabledPorts(all_ports)
|
|
|
|
- for trust in trusts_to_add:
|
|
+ for trust in self._new_trusts_to_add:
|
|
# add the trust unless already added
|
|
if not report_only:
|
|
self._added_trusts.add(trust)
|
|
- ksdata.firewall.trusts.append(trust)
|
|
|
|
msg = _("trust '%s' has been added to the list of trusts to be "
|
|
"added to the firewall" % trust)
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
+ if not report_only:
|
|
+ all_trusts = list(self._add_trusts.union(set(firewall_proxy.Trusts)))
|
|
+ firewall_proxy.SetTrusts(all_trusts)
|
|
|
|
# now do the same for the services that should be excluded
|
|
|
|
@@ -990,52 +1017,56 @@ def eval_rules(self, ksdata, storage, report_only=False):
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
|
|
- # services, that should be added
|
|
- services_to_remove = (svc for svc in self._remove_svcs
|
|
- if svc not in ksdata.firewall.remove_services)
|
|
+ # services, that should be excluded
|
|
+ self._new_services_to_remove = {
|
|
+ svc for svc in self._remove_svcs
|
|
+ if svc not in firewall_proxy.DisabledServices}
|
|
|
|
- for svc in services_to_remove:
|
|
+ for svc in self._new_services_to_remove:
|
|
# exclude the service unless already excluded
|
|
if not report_only:
|
|
self._removed_svcs.add(svc)
|
|
- ksdata.firewall.remove_services.append(svc)
|
|
|
|
msg = _("service '%s' has been added to the list of services to be "
|
|
"removed from the firewall" % svc)
|
|
messages.append(RuleMessage(self.__class__,
|
|
common.MESSAGE_TYPE_INFO, msg))
|
|
+ if not report_only:
|
|
+ all_services = list(self._remove_svcs.union(set(firewall_proxy.DisabledServices)))
|
|
+ firewall_proxy.SetDisabledServices(all_services)
|
|
|
|
return messages
|
|
|
|
def revert_changes(self, ksdata, storage):
|
|
""":see: RuleHander.revert_changes"""
|
|
+ firewall_proxy = NETWORK.get_proxy(FIREWALL)
|
|
|
|
if self._firewall_enabled is not None:
|
|
- ksdata.firewall.enabled = self._firewall_default_enabled
|
|
+ firewall_proxy.SetFirewallMode(self._firewall_default_state)
|
|
|
|
# remove all services this handler added
|
|
- for svc in self._added_svcs:
|
|
- if svc in ksdata.firewall.services:
|
|
- ksdata.firewall.services.remove(svc)
|
|
+ all_services = firewall_proxy.EnabledServices
|
|
+ orig_services = set(all_services).difference(self._new_services_to_add)
|
|
+ firewall_proxy.SetEnabledServices(list(orig_services))
|
|
|
|
# remove all ports this handler added
|
|
- for port in self._added_ports:
|
|
- if port in ksdata.firewall.ports:
|
|
- ksdata.firewall.ports.remove(port)
|
|
+ all_ports = firewall_proxy.EnabledPorts
|
|
+ orig_ports = set(all_ports).difference(self._new_ports_to_add)
|
|
+ firewall_proxy.SetEnabledPorts(list(orig_ports))
|
|
|
|
# remove all trusts this handler added
|
|
- for trust in self._added_trusts:
|
|
- if trust in ksdata.firewall.trusts:
|
|
- ksdata.firewall.trusts.remove(trust)
|
|
+ all_trusts = firewall_proxy.Trusts
|
|
+ orig_trusts = set(all_trusts).difference(self._new_trusts_to_add)
|
|
+ firewall_proxy.SetTrusts(list(orig_trusts))
|
|
|
|
# remove all services this handler excluded
|
|
- for svc in self._removed_svcs:
|
|
- if svc in ksdata.firewall.remove_services:
|
|
- ksdata.firewall.remove_services.remove(svc)
|
|
+ all_services = firewall_proxy.DisabledServices
|
|
+ orig_services = set(all_services).difference(self._new_services_to_remove)
|
|
+ firewall_proxy.SetDisabledServices(list(orig_services))
|
|
|
|
self._added_svcs = set()
|
|
self._added_ports = set()
|
|
self._added_trusts = set()
|
|
self._removed_svcs = set()
|
|
self._firewall_enabled = None
|
|
- self._firewall_default_enabled = None
|
|
+ self._firewall_default_state = None
|