From c28597b10f4d4f4d2c37fd9120cc89aacdd88d11 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 17 Aug 2023 16:55:27 +0200 Subject: [PATCH] remove problematic rule from ANSSI High profile Resolves: rhbz#2221695 --- ...ol_secure_insmod_from_anssi-PR_11001.patch | 30 +++++++++++++++++++ scap-security-guide.spec | 7 ++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch diff --git a/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch b/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch new file mode 100644 index 0000000..bf45744 --- /dev/null +++ b/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch @@ -0,0 +1,30 @@ +From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 17 Aug 2023 10:50:09 +0200 +Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high + +--- + products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ + products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel8/profiles/anssi_bp28_high.profile ++++ b/products/rhel8/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' +diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel9/profiles/anssi_bp28_high.profile ++++ b/products/rhel9/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 213c008..f01e398 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.69 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -19,6 +19,8 @@ Patch0: disable-not-in-good-shape-profiles.patch # Fix rule enable_fips_mode Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch +# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting +Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch BuildArch: noarch @@ -125,6 +127,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Thu Aug 17 2023 Vojtech Polasek - 0.1.69-2 +- remove problematic rule from ANSSI High profile (RHBZ#2221695) + * Thu Aug 10 2023 Jan Černý - 0.1.69-1 - Rebase to a new upstream release 0.1.69 (RHBZ#2221695) - Fixed CCE link URL (RHBZ#2178516)