Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2022-01-05 13:39:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new.1896 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Wed Jan 5 13:39:43 2022 rev:108 rq:943914 version:4.4.4 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2021-12-29 21:10:48.006277802 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-security.new.1896/yast2-security.changes 2022-01-05 13:40:07.077542817 +0100 @@ -1,0 +2,9 @@ +Tue Jan 4 12:06:48 UTC 2022 - Knut Anderssen <[email protected]> + +- Related to jsc#SLE-22069: + - Autoyast LSM section: added "selectable" option to the section + - Do not propose a default LSM configuration when it is declared + as not configurable in the control file or AutoYaST +- 4.4.4 + +------------------------------------------------------------------- Old: ---- yast2-security-4.4.3.tar.bz2 New: ---- yast2-security-4.4.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.tDEC5N/_old 2022-01-05 13:40:07.517543162 +0100 +++ /var/tmp/diff_new_pack.tDEC5N/_new 2022-01-05 13:40:07.517543162 +0100 @@ -1,7 +1,7 @@ # # spec file for package yast2-security # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.4.3 +Version: 4.4.4 Release: 0 Summary: YaST2 - Security Configuration License: GPL-2.0-only ++++++ yast2-security-4.4.3.tar.bz2 -> yast2-security-4.4.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/package/yast2-security.changes new/yast2-security-4.4.4/package/yast2-security.changes --- old/yast2-security-4.4.3/package/yast2-security.changes 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/package/yast2-security.changes 2022-01-05 07:43:22.000000000 +0100 @@ -1,4 +1,13 @@ ------------------------------------------------------------------- +Tue Jan 4 12:06:48 UTC 2022 - Knut Anderssen <[email protected]> + +- Related to jsc#SLE-22069: + - Autoyast LSM section: added "selectable" option to the section + - Do not propose a default LSM configuration when it is declared + as not configurable in the control file or AutoYaST +- 4.4.4 + +------------------------------------------------------------------- Wed Dec 29 11:47:15 UTC 2021 - Knut Anderssen <[email protected]> - Added back the selinux boot parameter when selinux is selected diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/package/yast2-security.spec new/yast2-security-4.4.4/package/yast2-security.spec --- old/yast2-security-4.4.3/package/yast2-security.spec 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/package/yast2-security.spec 2022-01-05 07:43:22.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.4.3 +Version: 4.4.4 Release: 0 Group: System/YaST License: GPL-2.0-only diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/src/autoyast-rnc/security.rnc new/yast2-security-4.4.4/src/autoyast-rnc/security.rnc --- old/yast2-security-4.4.3/src/autoyast-rnc/security.rnc 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/src/autoyast-rnc/security.rnc 2022-01-05 07:43:22.000000000 +0100 @@ -130,23 +130,29 @@ | lsm security = element security { MAP, y2_security* } -configurable = element configurable { BOOLEAN } -selectable = element selectable { BOOLEAN } +## Whether the module can be proposed/configured during installation +lsm_configurable = element configurable { BOOLEAN } +## Whether the module can be selected during installation +lsm_selectable = element selectable { BOOLEAN } +## Space-separated list of required/suggested patterns for the selected module +lsm_patterns = element patterns { text } lsm = element lsm { MAP, ( lsm_select? & - configurable? & + lsm_configurable? & + lsm_selectable? & selinux? & apparmor? ) } -lsm_select = element select { STRING } +# Linux Security Major Module to be activated after installation +lsm_select = element select { "apparmor" | "selinux" | "none" } lsm_module = - configurable - | selectable - | element patterns { STRING } + lsm_configurable + | lsm_selectable + | lsm_patterns apparmor = element apparmor { MAP, lsm_module* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/src/lib/y2security/lsm/config.rb new/yast2-security-4.4.4/src/lib/y2security/lsm/config.rb --- old/yast2-security-4.4.3/src/lib/y2security/lsm/config.rb 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/src/lib/y2security/lsm/config.rb 2022-01-05 07:43:22.000000000 +0100 @@ -51,6 +51,8 @@ # Select the LSM to be used based in the one defined in the control file using apparmor as # fallback in case that no one is selected def propose_default + return unless configurable? + log.info("The settings are #{product_feature_settings.inspect}") selected = product_feature_settings.fetch(:select, "apparmor") @@ -140,7 +142,7 @@ return @configurable unless @configurable.nil? return false if Yast::Arch.is_wsl - @configurable = product_feature_settings[:configurable] || false + @configurable = product_feature_settings.fetch(:configurable, true) end # Returns the values for the LSM setting from the product features diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/src/modules/Security.rb new/yast2-security-4.4.4/src/modules/Security.rb --- old/yast2-security-4.4.3/src/modules/Security.rb 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/src/modules/Security.rb 2022-01-05 07:43:22.000000000 +0100 @@ -932,6 +932,8 @@ section = Y2Security::AutoinstProfile::SecuritySection.new_from_hashes(settings) Y2Security::Autoinst::LSMConfigReader.new(section.lsm).read + return unless lsm_config.configurable? + PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/test/security_test.rb new/yast2-security-4.4.4/test/security_test.rb --- old/yast2-security-4.4.3/test/security_test.rb 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/test/security_test.rb 2022-01-05 07:43:22.000000000 +0100 @@ -720,13 +720,23 @@ end context "when a specific Linux Security Module is selected" do - it "sets resolvables for needed patterns" do - allow_any_instance_of(Y2Security::LSM::Base).to receive(:needed_patterns) - .and_return(selinux_patterns) - expect(Yast::PackagesProposal).to receive(:SetResolvables) - .with(anything, :pattern, selinux_patterns) - - Security.Import("selinux_mode" => "permissive") + context "and LSM is configurable" do + it "sets resolvables for needed patterns" do + allow_any_instance_of(Y2Security::LSM::Base).to receive(:needed_patterns) + .and_return(selinux_patterns) + expect(Yast::PackagesProposal).to receive(:SetResolvables) + .with(anything, :pattern, selinux_patterns) + + Security.Import("selinux_mode" => "permissive") + end + end + + context "and LSM is declared as no configurable" do + it "does not touch resolvables" do + expect(Yast::PackagesProposal).to_not receive(:SetResolvables) + + Security.Import("lsm" => { "configurable" => false }) + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.4.3/test/y2security/lsm/config_test.rb new/yast2-security-4.4.4/test/y2security/lsm/config_test.rb --- old/yast2-security-4.4.3/test/y2security/lsm/config_test.rb 2021-12-29 15:59:37.000000000 +0100 +++ new/yast2-security-4.4.4/test/y2security/lsm/config_test.rb 2022-01-05 07:43:22.000000000 +0100 @@ -174,16 +174,26 @@ end describe "#propose_default" do - it "selects the LSM to be used based on the control file" do - expect { subject.propose_default }.to change { subject.selected&.id }.from(nil).to(:selinux) + context "when Linux Security module is declared as configurable in the control file" do + it "selects the LSM to be used based on the control file" do + expect { subject.propose_default }.to change { subject.selected&.id }.from(nil).to(:selinux) + end + + context "when no default LSM is declared in the control file" do + let(:lsm_section) { { "configurable" => lsm_configurable } } + + it "fallbacks to :apparmor" do + expect { subject.propose_default } + .to change { subject.selected&.id }.from(nil).to(:apparmor) + end + end end - context "when no default LSM is declared in the control file" do - let(:lsm_section) { { "configurable" => lsm_configurable } } + context "when Linux Security module is not declared as configurable in the control file" do + let(:lsm_configurable) { false } - it "fallbacks to :apparmor" do - expect { subject.propose_default } - .to change { subject.selected&.id }.from(nil).to(:apparmor) + it "does not select any module by default" do + expect { subject.propose_default }.to_not(change { subject.selected }) end end end
