Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-security for openSUSE:Factory
checked in at 2025-04-11 16:45:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-security (Old)
and /work/SRC/openSUSE:Factory/.yast2-security.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Fri Apr 11 16:45:32 2025 rev:126 rq:1268226 version:5.0.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes
2024-10-02 21:32:00.998969623 +0200
+++ /work/SRC/openSUSE:Factory/.yast2-security.new.1907/yast2-security.changes
2025-04-11 16:46:02.273354734 +0200
@@ -1,0 +2,7 @@
+Wed Apr 9 08:12:01 UTC 2025 - Josef Reidinger <jreidin...@suse.com>
+
+- Do not write selinux mode to kernel command line and keep it only
+ in /etc/selinux/config (jsc#PED-12400)
+- 5.0.3
+
+-------------------------------------------------------------------
Old:
----
yast2-security-5.0.2.tar.bz2
New:
----
yast2-security-5.0.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.wSnoAg/_old 2025-04-11 16:46:02.917381810 +0200
+++ /var/tmp/diff_new_pack.wSnoAg/_new 2025-04-11 16:46:02.917381810 +0200
@@ -1,7 +1,7 @@
#
# spec file for package yast2-security
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 5.0.2
+Version: 5.0.3
Release: 0
Group: System/YaST
License: GPL-2.0-only
++++++ yast2-security-5.0.2.tar.bz2 -> yast2-security-5.0.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-5.0.2/package/yast2-security.changes
new/yast2-security-5.0.3/package/yast2-security.changes
--- old/yast2-security-5.0.2/package/yast2-security.changes 2024-10-02
10:03:28.000000000 +0200
+++ new/yast2-security-5.0.3/package/yast2-security.changes 2025-04-09
21:36:00.000000000 +0200
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Wed Apr 9 08:12:01 UTC 2025 - Josef Reidinger <jreidin...@suse.com>
+
+- Do not write selinux mode to kernel command line and keep it only
+ in /etc/selinux/config (jsc#PED-12400)
+- 5.0.3
+
+-------------------------------------------------------------------
Mon Sep 30 14:36:10 UTC 2024 - Stefan Hundhammer <shundham...@suse.com>
- Drop obsolete USERADD_CMD, USERDEL_PRECMD, USERDEL_POSTCMD in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-5.0.2/package/yast2-security.spec
new/yast2-security-5.0.3/package/yast2-security.spec
--- old/yast2-security-5.0.2/package/yast2-security.spec 2024-10-02
10:03:28.000000000 +0200
+++ new/yast2-security-5.0.3/package/yast2-security.spec 2025-04-09
21:36:00.000000000 +0200
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 5.0.2
+Version: 5.0.3
Release: 0
Group: System/YaST
License: GPL-2.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-5.0.2/src/lib/y2security/lsm/selinux.rb
new/yast2-security-5.0.3/src/lib/y2security/lsm/selinux.rb
--- old/yast2-security-5.0.2/src/lib/y2security/lsm/selinux.rb 2024-10-02
10:03:28.000000000 +0200
+++ new/yast2-security-5.0.3/src/lib/y2security/lsm/selinux.rb 2025-04-09
21:36:00.000000000 +0200
@@ -51,13 +51,6 @@
# mode.name #=> "Permisive"
# mode.options ~=> { "lsm" => "selinux", "selinux" => "1", "enforcing"
=> :missing }
#
- # @example Querying the SELinux mode set by boot params
- # selinux= Selinux.new
- # mode = selinux.boot_mode
- # mode.id #=> :enforcing
- # mode.name #=> "Enforcing"
- # mode.options ~=> { "lsm" => "selinux", "selinux" => "1", "enforcing"
=> "1" }
- #
# @example Enabling SELinux in Permissive mode for next boot
# selinux = Selinux.new
# selinux.mode = :permissive
@@ -112,24 +105,31 @@
# The current set mode
#
- # @note initially, it will be set to the {#proposed_mode}, #{boot_mode},
or
- # {#configured_mode}, as applicable. When SELinux is enabled (i.e.,
detected #{boot_mode} was
- # not "disabled") but the mode was set through neither, a boot kernel
param nor configuration
+ # @note initially, it will be set to the {#proposed_mode} or
+ # {#configured_mode}, as applicable. When SELinux is enabled
+ # but the mode was set through neither, a boot kernel param nor
configuration
# file, the "permissive" mode is assumed.
#
# @note a #{save} call is needed to make it the SELinux mode starting
with the next boot.
#
- # @return [Selinux::Mode] the current set mode, which initially can be
the {#proposed_mode},
- # {#boot_mode} or the {#configured_mode} as applicable. A {#save} call
is needed to make it
+ # @return [Selinux::Mode] the current set mode, which initially can be
the {#proposed_mode}
+ # or the {#configured_mode} as applicable. A {#save} call is needed to
make it
# the for the next boot.
def mode
- @mode ||= make_proposal || boot_mode || configured_mode ||
Mode.find(:permissive)
+ @mode ||= make_proposal || configured_mode || Mode.find(:permissive)
end
# Returns the configured mode in the SELinux config file
#
# @return [Mode, nil] the SELinux mode set in the config file; nil if
unknown or not set
def configured_mode
+ # selinux is disabled on cmdline, but mode is set in config file. See
https://bugzilla.suse.com/show_bug.cgi?id=1239717
+ options = options_from_kernel_params
+ return if options.empty?
+
+ disabled_mode = options.fetch("selinux", 1).to_i <= 0
+ return Mode.find(:disabled) if disabled_mode
+
Mode.find(config_file.selinux)
end
@@ -148,30 +148,6 @@
nil
end
- # Returns the SELinux mode according to boot kernel params
- #
- # @see #options_from_kernel_params
- #
- # @return [Mode,nil] the selected mode through boot kernel params or nil
if SELinux is
- # enabled but there is not enough information to guess the mode
because it will depend on
- # the SELinux value in the configuration file (see {#configured_mode}
and {#mode}).
- def boot_mode
- options = options_from_kernel_params
- return if options.empty?
-
- disabled_mode = options.fetch("selinux", 1).to_i <= 0
- return Mode.find(:disabled) if disabled_mode
-
- # enforcing missing or with a negative value means that SELinux mode
will be determined
- # by the SELINUX value in the configuration file. "permissive" by
default. See {#mode}
- enforcing_mode = options["enforcing"]&.to_i
- return if enforcing_mode.nil? || enforcing_mode < 0
-
- # enforcing=0 means that "permissive" mode will be used, despite the
SELINUX value used in
- # the configuration file.
- (enforcing_mode > 0) ? Mode.find(:enforcing) : Mode.find(:permissive)
- end
-
# Returns a collection holding all known SELinux modes
#
# @return [Array<Selinux::Mode>] a collection of known SELinux modes
@@ -196,16 +172,6 @@
@mode = found_mode
end
- # Returns the known keys for selection a specific Linux Security Module
adding also the
- # SELinux options for selecting a specific mode.
- #
- # @see Base#kernel_options
- #
- # @return [Array<String>]
- def kernel_options
- super + Mode.kernel_options
- end
-
# @see Base#kernel_params
def kernel_params
mode.options
@@ -377,13 +343,6 @@
ALL
end
- # Returns all known keys for setting a SELinux mode via kernel command
line
- #
- # @return [Array<String>]
- def self.kernel_options
- KERNEL_OPTIONS
- end
-
# Finds a SELinux mode by its id
#
# @param id [Mode, String, Symbol, nil]
@@ -399,16 +358,14 @@
# @param id [String, Symbol] id of the mode
# @param name [String] the mode name, a string marked for translation
# @param disable [Boolean] whether the mode will be disabled or not
- # @param enforcing [Boolean] if SELinux should be run enforcing or not
- def initialize(id, name, disable, enforcing)
+ def initialize(id, name, disable)
textdomain "security"
@id = id.to_sym
@name = name
@options = {
- "security" => "selinux",
- "selinux" => disable ? "0" : "1",
- "enforcing" => enforcing ? "1" : :missing
+ "security" => "selinux",
+ "selinux" => disable ? "0" : "1"
}
end
@@ -423,9 +380,8 @@
# All known SELinux modes
#
# This is _the main_ or _base_ configuration for known SELinux modes.
However, note that,
- # for example, a permissive mode could be set by just setting the
Linux Security Module;
- # i.e., "lsm=selinux" means "enable SELinux using the permissive
mode". Or even setting the
- # enforcing param to a value equal or less than 0; i.e., "lsm=selinux
enforcing=0".
+ # mode is no longer driver by kernel command line, but by selinux
config file.
+ # For more see https://jira.suse.com/browse/PED-12400
#
# Additionally, removing the "lsm" from the kernel params does not
mean to use none
# LSM module. Instead, it just fallback to the kernel configuration at
the compile
@@ -436,15 +392,11 @@
# https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
# and/or grep for CONFIG_LSM in /boot/config-*
ALL = [
- new(:disabled, N_("Disabled"), true, false),
- new(:permissive, N_("Permissive"), false, false),
- new(:enforcing, N_("Enforcing"), false, true)
+ new(:disabled, N_("Disabled"), true),
+ new(:permissive, N_("Permissive"), false),
+ new(:enforcing, N_("Enforcing"), false)
].freeze
private_constant :ALL
-
- # Known keys for setting a SELinux mode via kernel command line
- KERNEL_OPTIONS = ["enforcing"].freeze
- private_constant :KERNEL_OPTIONS
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-5.0.2/test/y2security/lsm/selinux_test.rb
new/yast2-security-5.0.3/test/y2security/lsm/selinux_test.rb
--- old/yast2-security-5.0.2/test/y2security/lsm/selinux_test.rb
2024-10-02 10:03:28.000000000 +0200
+++ new/yast2-security-5.0.3/test/y2security/lsm/selinux_test.rb
2025-04-09 21:36:00.000000000 +0200
@@ -118,11 +118,11 @@
context "when mode is not set yet" do
context "in a running system" do
- before do
- allow(subject).to
receive(:configured_mode).and_return(configured_mode)
- end
-
context "with selinux enabled through boot param" do
+ before do
+ allow(subject).to
receive(:configured_mode).and_return(configured_mode)
+ end
+
let(:security_param) { "selinux" }
let(:selinux_param) { "1" }
@@ -141,24 +141,6 @@
expect(subject.mode).to eq(permissive_mode)
end
end
-
- context "and enforcing mode set via boot param" do
- let(:enforcing_param) { "1" }
- let(:configured_mode) { permissive_mode }
-
- it "returns the enforcing mode" do
- expect(subject.mode).to eq(enforcing_mode)
- end
- end
-
- context "and permissive mode set via boot param" do
- let(:enforcing_param) { "0" }
- let(:configured_mode) { enforcing_mode }
-
- it "returns the permissive mode" do
- expect(subject.mode).to eq(permissive_mode)
- end
- end
end
context "with selinux disabled" do
@@ -175,6 +157,7 @@
let(:installation_mode) { true }
context "when globals => selinux => mode feature is not set" do
+ let(:selinux_param) { "1" }
let(:selinux_mode) { "" }
it "returns the mode set by the config file" do
@@ -183,6 +166,8 @@
end
context "when globals => selinux => mode is set" do
+ let(:selinux_param) { "1" }
+
context "and contains a valid mode" do
let(:selinux_mode) { "enforcing" }
@@ -204,8 +189,17 @@
end
describe "#configured_mode" do
+ let(:selinux_param) { "1" }
let(:config_file) { double("CFA::Selinux", load: true, selinux:
selinux_mode) }
+ context "selinux is disabled on kernel cmdline" do
+ let(:selinux_param) { "0" }
+
+ it "returns the disabled mode" do
+ expect(subject.configured_mode).to eq(disabled_mode)
+ end
+ end
+
context "when enforcing mode is configured" do
let(:selinux_mode) { "enforcing" }
@@ -274,10 +268,9 @@
it "resets the kernel params it knows" do
params = {
- "lsm" => :missing,
- "security" => :missing,
- "enforcing" => :missing,
- "selinux" => :missing
+ "lsm" => :missing,
+ "security" => :missing,
+ "selinux" => :missing
}
expect(Yast::Bootloader).to receive(:modify_kernel_params)
.with(params)
@@ -285,84 +278,6 @@
end
end
- describe "#boot_mode" do
- context "when security or lsm boot param are not set" do
- it "returns nil" do
- expect(subject.boot_mode).to eq(nil)
- end
- end
-
- context "when security boot param is not selinux" do
- let(:security_param) { "smack" }
-
- it "returns nil" do
- expect(subject.boot_mode).to be_nil
- end
- end
-
- context "when security boot param is selinux" do
- let(:security_param) { "selinux" }
-
- context "and selinux boot param is zero" do
- let(:selinux_param) { "0" }
-
- it "returns the disabled mode" do
- expect(subject.boot_mode).to eq(disabled_mode)
- end
- end
-
- context "and selinux boot param is a text" do
- let(:selinux_param) { "whatever" }
-
- it "returns the disabled mode" do
- expect(subject.boot_mode).to eq(disabled_mode)
- end
- end
-
- context "and selinux boot param is negative number" do
- let(:selinux_param) { -1 }
-
- it "returns the disabled mode" do
- expect(subject.boot_mode).to eq(disabled_mode)
- end
- end
-
- context "and selinux boot param is greater than zero" do
- let(:selinux_param) { "1" }
-
- context "and enforcing param is zero" do
- let(:enforcing_param) { 0 }
-
- it "returns the permissive mode" do
- expect(subject.boot_mode).to eq(permissive_mode)
- end
- end
-
- context "and enforcing param is greater than zero" do
- let(:enforcing_param) { "1" }
-
- it "returns the enforcing mode" do
- expect(subject.boot_mode).to eq(enforcing_mode)
- end
- end
-
- context "but enforcing param is not defined" do
- it "returns nil" do
- expect(subject.boot_mode).to be_nil
- end
- end
-
- context "but enforcing param is a negative value" do
- let(:enforcing_param) { "-15" }
-
- it "returns nil" do
- expect(subject.boot_mode).to be_nil
- end
- end
- end
- end
- end
-
describe "#mode=" do
context "when a known SELinux mode id is given" do
it "returns the mode" do
@@ -636,12 +551,6 @@
end
end
- describe ".kernel_options" do
- it "includes 'enforcing'" do
- expect(subject.kernel_options).to include("enforcing")
- end
- end
-
describe ".find" do
let(:mode) { subject.find(mode_id) }
@@ -683,7 +592,7 @@
let(:mode) { described_class.find(:disabled) }
it "returns the mode options" do
- expect(mode.options).to a_hash_including("security", "selinux",
"enforcing")
+ expect(mode.options).to a_hash_including("security", "selinux")
end
end
end
