From c5477d73d7ec43d09eac821af91f77cdbb886dfb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:02:35 +0000 Subject: import oscap-anaconda-addon-0.7-12.el7 --- diff --git a/SOURCES/anaconda_settle_1265552.patch b/SOURCES/anaconda_settle_1265552.patch new file mode 100644 index 0000000..9272f1b --- /dev/null +++ b/SOURCES/anaconda_settle_1265552.patch @@ -0,0 +1,31 @@ +From 545720b9ac10d82d79b29128545d2592716ebb57 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 30 May 2016 11:00:44 +0200 +Subject: [PATCH 12/13] Wait for Anaconda to settle before evaluation + +Otherwise we may win the race and evaluate the configuration before it's +actually setup "discovering" issues that don't exist in the end. + +Resolves: rhbz#1265552 +--- + org_fedora_oscap/gui/spokes/oscap.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 42fc406..9f515ce 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -429,6 +429,10 @@ class OSCAPSpoke(NormalSpoke): + # refresh UI elements + self.refresh() + ++ # let all initialization and configuration happen before we evaluate the ++ # setup ++ threadMgr.wait_all() ++ + # try to switch to the chosen profile (if any) + selected = self._switch_profile() + +-- +2.5.5 + diff --git a/SOURCES/catch_fetch_error_1263239.patch b/SOURCES/catch_fetch_error_1263239.patch new file mode 100644 index 0000000..da6f262 --- /dev/null +++ b/SOURCES/catch_fetch_error_1263239.patch @@ -0,0 +1,30 @@ +From 91b72ed3c71dbe1fe6a475f412b9290ebfb6e9c5 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 17 May 2016 11:41:53 +0200 +Subject: [PATCH 02/13] Also catch data_fetch.DataFetchError when trying to get + content + +Otherwise everything crashes and a traceback is shown to the user instead of a +dialog (TUI) or proper error message (cmdline mode). + +Resolves: rhbz#1263239 +--- + org_fedora_oscap/ks/oscap.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index df92018..5c29d4a 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -413,7 +413,7 @@ class OSCAPdata(AddonData): + # content not available/fetched yet + try: + self._fetch_content_and_initialize() +- except common.OSCAPaddonError as e: ++ except (common.OSCAPaddonError, data_fetch.DataFetchError) as e: + log.error("Failed to fetch and initialize SCAP content!") + msg = _("There was an error fetching and loading the security content:\n" + + "%s\n" + +-- +2.5.5 + diff --git a/SOURCES/change_ssg_paths.patch b/SOURCES/change_ssg_paths.patch new file mode 100644 index 0000000..daf22a2 --- /dev/null +++ b/SOURCES/change_ssg_paths.patch @@ -0,0 +1,27 @@ +From 1bbde30a8220e545011e9df3b96bd3b9220c9cfe Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 28 Apr 2015 16:29:51 +0200 +Subject: [PATCH] Change paths to use RHEL 7's SSG instead of the Fedora's one + +--- + org_fedora_oscap/common.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index f1aba4c..7873b50 100644 +--- org_fedora_oscap/common.py ++++ org_fedora_oscap/common.py +@@ -48,8 +48,8 @@ __all__ = ["run_oscap_remediate", "get_fix_rules_pre", "wait_and_fetch_net_data" + INSTALLATION_CONTENT_DIR = "/tmp/openscap_data/" + TARGET_CONTENT_DIR = "/root/openscap_data/" + +-SSG_DIR = "/usr/share/xml/scap/ssg/fedora/" +-SSG_XCCDF = "ssg-fedora-xccdf.xml" ++SSG_DIR = "/usr/share/xml/scap/ssg/content/" ++SSG_XCCDF = "ssg-rhel7-xccdf.xml" + + RESULTS_PATH = utils.join_paths(TARGET_CONTENT_DIR, "eval_remediate_results.xml") + +-- +2.3.6 + diff --git a/SOURCES/changes_view_scrollable_1263582.patch b/SOURCES/changes_view_scrollable_1263582.patch new file mode 100644 index 0000000..b361d1e --- /dev/null +++ b/SOURCES/changes_view_scrollable_1263582.patch @@ -0,0 +1,83 @@ +From 5f512f6e9e72c10a4ad32a08b1bab095014c9057 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Thu, 26 May 2016 10:04:17 +0200 +Subject: [PATCH 11/13] Make the changes overview scrollable and smaller + +There might possibly be many changes which would cause the view to overflow the +screen or push some elements outside of the screen resulting in permanent damage +to Anaconda's UI. Let's prevent this from happening by making the view +scrollable. The 'automatic' policy should make sure there are no scrollbars +unless needed. Disabling the horizontal expand makes sure that the changes view +doesn't take too much space from the screen when not needed. + +Related: rhbz#1263582 +--- + org_fedora_oscap/gui/spokes/oscap.glade | 46 +++++++++++++++++++-------------- + 1 file changed, 26 insertions(+), 20 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade +index 3737eba..5ce20b0 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.glade ++++ b/org_fedora_oscap/gui/spokes/oscap.glade +@@ -351,32 +351,38 @@ + + + +- ++ + True + True +- True +- True +- changesStore +- False +- False +- 0 +- +- +- ++ in + +- ++ ++ True ++ True ++ True ++ changesStore ++ False ++ False ++ 0 ++ ++ ++ + +- ++ ++ ++ ++ ++ + +- +- +- +- + +- +- +- 1 +- ++ ++ ++ ++ ++ 1 ++ ++ ++ + + + +-- +2.5.5 + diff --git a/SOURCES/clear_error_info_1349446.patch b/SOURCES/clear_error_info_1349446.patch new file mode 100644 index 0000000..b7bb359 --- /dev/null +++ b/SOURCES/clear_error_info_1349446.patch @@ -0,0 +1,27 @@ +From bb3034ff76daeba590c6a206c75b99720f506a2c Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Thu, 30 Jun 2016 10:40:48 +0200 +Subject: [PATCH] Clear spoke's info before setting an error (#1349446) + +Otherwise the previous error message is shown (if any) instead of the new one. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index b630bd8..0539d5c 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -720,6 +720,7 @@ class OSCAPSpoke(NormalSpoke): + """Set or clear error message""" + if msg: + self._error = msg ++ self.clear_info() + self.set_error(msg) + else: + self._error = None +-- +2.5.5 + diff --git a/SOURCES/datastream_tailoring_1364929.patch b/SOURCES/datastream_tailoring_1364929.patch new file mode 100644 index 0000000..c199a26 --- /dev/null +++ b/SOURCES/datastream_tailoring_1364929.patch @@ -0,0 +1,74 @@ +From 03734db97a920a742375ad162b95d08b78866036 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 13 Sep 2016 17:23:37 +0200 +Subject: [PATCH] Properly handle tailoring files for datastreams + +We need to load the tailoring file and iterate over tailoring profiles like we +do for Benchmark+tailoring. + +Resolves: rhbz#1364929 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/content_handling.py | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py +index 0921ad9..fa4266b 100644 +--- a/org_fedora_oscap/content_handling.py ++++ b/org_fedora_oscap/content_handling.py +@@ -151,6 +151,9 @@ class DataStreamHandler(object): + # is used to speed up getting lists of profiles + self._profiles_cache = dict() + ++ # store the tailoring file path (if any) for later use ++ self._tailoring_file_path = tailoring_file_path ++ + if not os.path.exists(dsc_file_path): + msg = "Invalid file path: '%s'" % dsc_file_path + raise DataStreamHandlingError(msg) +@@ -165,10 +168,6 @@ class DataStreamHandler(object): + if OSCAP.xccdf_session_load(self._session) != 0: + raise DataStreamHandlingError(OSCAP.oscap_err_desc()) + +- if tailoring_file_path: +- OSCAP.xccdf_session_set_user_tailoring_file(self._session, +- tailoring_file_path) +- + if not OSCAP.xccdf_session_is_sds(self._session): + msg = "'%s' is not a data stream collection" % dsc_file_path + raise DataStreamHandlingError(msg) +@@ -282,6 +281,11 @@ class DataStreamHandler(object): + + OSCAP.xccdf_session_set_datastream_id(self._session, data_stream_id) + OSCAP.xccdf_session_set_component_id(self._session, checklist_id) ++ ++ if self._tailoring_file_path: ++ OSCAP.xccdf_session_set_user_tailoring_file(self._session, ++ self._tailoring_file_path) ++ + if OSCAP.xccdf_session_load(self._session) != 0: + raise DataStreamHandlingError(OSCAP.oscap_err_desc()) + +@@ -305,6 +309,19 @@ class DataStreamHandler(object): + + profiles.append(info) + ++ if self._tailoring_file_path: ++ tailoring = OSCAP.xccdf_policy_model_get_tailoring(policy_model) ++ profile_itr = OSCAP.xccdf_tailoring_get_profiles(tailoring) ++ while OSCAP.xccdf_profile_iterator_has_more(profile_itr): ++ profile = OSCAP.xccdf_profile_iterator_next(profile_itr) ++ ++ id_ = OSCAP.xccdf_profile_get_id(profile) ++ title = oscap_text_itr_get_text(OSCAP.xccdf_profile_get_title(profile)) ++ desc = oscap_text_itr_get_text(OSCAP.xccdf_profile_get_description(profile)) ++ info = ProfileInfo(id_, title, desc) ++ ++ profiles.append(info) ++ + OSCAP.xccdf_profile_iterator_free(profile_itr) + + # cache the result +-- +2.7.4 + diff --git a/SOURCES/disable_yum_gpg_1263216.patch b/SOURCES/disable_yum_gpg_1263216.patch new file mode 100644 index 0000000..5e5f5ed --- /dev/null +++ b/SOURCES/disable_yum_gpg_1263216.patch @@ -0,0 +1,33 @@ +From f8e5c1c38ef7a8813bbeaca15265f338ecdeb8aa Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 15:48:42 +0200 +Subject: [PATCH 07/13] Disable GPG checks when installing content to the + system + +When we are installing the SCAP content as an RPM package we are likely to be +missing some GPG keys. And since there are other means how to check the content +integrity and authenticity plus the fact we have already used the content for the +installation phase, the GPG check can be just turned off to prevent issues like +the one described in the bug. + +Resolves: rhbz#1263216 +--- + org_fedora_oscap/ks/oscap.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 83b3103..2b0fa3e 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -525,7 +525,7 @@ class OSCAPdata(AddonData): + shutil.copy2(self.raw_preinst_content_path, target_content_dir) + + # and install it with yum +- ret = iutil.execInSysroot("yum", ["-y", "install", ++ ret = iutil.execInSysroot("yum", ["-y", "--nogpg", "install", + self.raw_postinst_content_path]) + if ret != 0: + raise common.ExtractionError("Failed to install content " +-- +2.5.5 + diff --git a/SOURCES/enforce_rootpw_1238281.patch b/SOURCES/enforce_rootpw_1238281.patch new file mode 100644 index 0000000..b01e0b8 --- /dev/null +++ b/SOURCES/enforce_rootpw_1238281.patch @@ -0,0 +1,112 @@ +From 62d2e9832561d590fdcfbcab8bd03f5cb31fd5d1 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 08:53:17 +0200 +Subject: [PATCH 05/13] Enforce the minimal root password length + +With Anaconda supporting the pwpolicy command putting restrictions on (among the +other things) root password minimal length we can actually enforce the policy +given in the SCAP content in interactive installations. + +Resolves: rhbz#1238281 +--- + org_fedora_oscap/rule_handling.py | 50 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 44 insertions(+), 6 deletions(-) + +diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py +index 6a67e8a..a7bed22 100644 +--- a/org_fedora_oscap/rule_handling.py ++++ b/org_fedora_oscap/rule_handling.py +@@ -26,6 +26,8 @@ Module with various classes for handling pre-installation rules. + import optparse + import shlex + ++from pyanaconda.pwpolicy import F22_PwPolicyData ++ + from org_fedora_oscap import common + from org_fedora_oscap.common import OSCAPaddonError, RuleMessage + +@@ -35,6 +37,9 @@ __all__ = ["RuleData"] + import gettext + _ = lambda x: gettext.ldgettext("oscap-anaconda-addon", x) + ++import logging ++log = logging.getLogger("anaconda") ++ + # TODO: use set instead of list for mount options? + def parse_csv(option, opt_str, value, parser): + for item in value.split(","): +@@ -392,6 +397,9 @@ class PasswdRules(RuleHandler): + """Constructor initializing attributes.""" + + self._minlen = 0 ++ self._created_policy = False ++ self._orig_minlen = None ++ self._orig_strict = None + + def __str__(self): + """Standard method useful for debugging and testing.""" +@@ -414,25 +422,55 @@ class PasswdRules(RuleHandler): + # no password restrictions, nothing to be done here + return [] + ++ ret = [] + if not ksdata.rootpw.password: + # root password was not set + +- # password length enforcement is not suported in the Anaconda yet + msg = _("make sure to create password with minimal length of %d " +- "characters" % self._minlen) +- return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] ++ "characters") % self._minlen ++ ret = [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] + else: + # root password set + if ksdata.rootpw.isCrypted: + msg = _("cannot check root password length (password is crypted)") ++ log.warning("cannot check root password length (password is crypted)") + return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] + elif len(ksdata.rootpw.password) < self._minlen: + # too short + msg = _("root password is too short, a longer one with at " +- "least %d characters is required" % self._minlen) +- return [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)] ++ "least %d characters is required") % self._minlen ++ ret = [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)] + else: +- return [] ++ ret = [] ++ ++ # set the policy in any case (so that a weaker password is not entered) ++ pw_policy = ksdata.anaconda.pwpolicy.get_policy("root") ++ if pw_policy is None: ++ pw_policy = F22_PwPolicyData() ++ ksdata.anaconda.pwpolicy.policyList.append(pw_policy) ++ self._created_policy = True ++ ++ self._orig_minlen = pw_policy.minlen ++ self._orig_strict = pw_policy.strict ++ pw_policy.minlen = self._minlen ++ pw_policy.strict = True ++ ++ return ret ++ ++ def revert_changes(self, ksdata, storage): ++ """:see: RuleHander.revert_changes""" ++ ++ pw_policy = ksdata.anaconda.pwpolicy.get_policy("root") ++ if self._created_policy: ++ ksdata.anaconda.pwpolicy.policyList.remove(pw_policy) ++ self._created_policy = False ++ else: ++ if self._orig_minlen is not None: ++ pw_policy.minlen = self._orig_minlen ++ self._orig_minlen = None ++ if self._orig_strict is not None: ++ pw_policy.strict = self._orig_strict ++ self._orig_strict = None + + class PackageRules(RuleHandler): + """Simple class holding data from the rules affecting installed packages.""" +-- +2.5.5 + diff --git a/SOURCES/just_report_text_mode_1263207.patch b/SOURCES/just_report_text_mode_1263207.patch new file mode 100644 index 0000000..6c70c67 --- /dev/null +++ b/SOURCES/just_report_text_mode_1263207.patch @@ -0,0 +1,55 @@ +From 0e3bfd1eb771802edab0d5f72dc7a9e8538f2fa7 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 17 May 2016 14:35:39 +0200 +Subject: [PATCH 04/13] Just report misconfiguration instead of crashing in + text mode + +User should get to know what happened, but crashing and showing a traceback is +not really a great way to do it. Showing a text "dialog" with all the +information we have is much better. + +Resolves: rhbz#1263207 +--- + org_fedora_oscap/ks/oscap.py | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 5c29d4a..44c442f 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -466,10 +466,28 @@ class OSCAPdata(AddonData): + + # evaluate rules, do automatic fixes and stop if something that cannot + # be fixed automatically is wrong +- messages = self.rule_data.eval_rules(ksdata, storage) +- if any(message.type == common.MESSAGE_TYPE_FATAL +- for message in messages): +- raise MisconfigurationError("Wrong configuration detected!") ++ fatal_messages = [message for message in self.rule_data.eval_rules(ksdata, storage) ++ if message.type == common.MESSAGE_TYPE_FATAL] ++ if any(fatal_messages): ++ msg = "Wrong configuration detected!\n" ++ msg += "\n".join(message.text for message in fatal_messages) ++ msg += "\nThe installation should be aborted. Do you wish to continue anyway?" ++ if flags.flags.automatedInstall and not flags.flags.ksprompt: ++ # cannot have ask in a non-interactive kickstart installation ++ raise errors.CmdlineError(msg) ++ ++ answ = errors.errorHandler.ui.showYesNoQuestion(msg) ++ if answ == errors.ERROR_CONTINUE: ++ # prevent any futher actions here by switching to the dry ++ # run mode and let things go on ++ self.dry_run = True ++ return ++ else: ++ # Let's sleep forever to prevent any further actions and wait for ++ # the main thread to quit the process. ++ progressQ.send_quit(1) ++ while True: ++ time.sleep(100000) + + # add packages needed on the target system to the list of packages + # that are requested to be installed +-- +2.5.5 + diff --git a/SOURCES/new_method_signature_1288636.patch b/SOURCES/new_method_signature_1288636.patch new file mode 100644 index 0000000..d264e12 --- /dev/null +++ b/SOURCES/new_method_signature_1288636.patch @@ -0,0 +1,37 @@ +From 377eec1071b6a9e50973ba61fc1b0f5e23ec043d Mon Sep 17 00:00:00 2001 +From: Jiri Konecny +Date: Mon, 25 Apr 2016 16:06:27 +0200 +Subject: [PATCH 01/13] Use new method signature with payload class (#1288636) + +You can now use payload class in setup() and execute() methods. + +Related: rhbz#1288636 +--- + org_fedora_oscap/ks/oscap.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index df92018..38ea5cc 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -388,7 +388,7 @@ class OSCAPdata(AddonData): + for rule in rules.splitlines(): + self.rule_data.new_rule(rule) + +- def setup(self, storage, ksdata, instclass): ++ def setup(self, storage, ksdata, instclass, payload): + """ + The setup method that should make changes to the runtime environment + according to the data stored in this object. +@@ -480,7 +480,7 @@ class OSCAPdata(AddonData): + if pkg not in ksdata.packages.packageList: + ksdata.packages.packageList.append(pkg) + +- def execute(self, storage, ksdata, instclass, users): ++ def execute(self, storage, ksdata, instclass, users, payload): + """ + The execute method that should make changes to the installed system. It + is called only once in the post-install setup phase. +-- +2.5.5 + diff --git a/SOURCES/no_crash_extract_error_1263315.patch b/SOURCES/no_crash_extract_error_1263315.patch new file mode 100644 index 0000000..d20bc83 --- /dev/null +++ b/SOURCES/no_crash_extract_error_1263315.patch @@ -0,0 +1,51 @@ +From 7c4ffe3b7dc35f6ceb2f97b985f6d6f9b25ba4c0 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 18:24:02 +0200 +Subject: [PATCH 08/13] Avoid crashes on extraction errors + +If there is an IOError or some problem with the cpio archive, we need to +transform the exception into our own so that it is properly caught and processed +in the best possible way in the UI layer. + +Resolves: rhbz#1263315 +--- + org_fedora_oscap/common.py | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index 8b2e84f..684f8ab 100644 +--- a/org_fedora_oscap/common.py ++++ b/org_fedora_oscap/common.py +@@ -403,17 +403,20 @@ def _extract_rpm(rpm_path, root="/", ensure_has_files=None): + msg = "File '%s' not found in the archive '%s'" % (fpath, rpm_path) + raise ExtractionError(msg) + +- for entry in entries: +- dirname = os.path.dirname(entry.name.lstrip(".")) +- out_dir = os.path.normpath(root + dirname) +- utils.ensure_dir_exists(out_dir) ++ try: ++ for entry in entries: ++ dirname = os.path.dirname(entry.name.lstrip(".")) ++ out_dir = os.path.normpath(root + dirname) ++ utils.ensure_dir_exists(out_dir) + +- out_fpath = os.path.normpath(root + entry.name.lstrip(".")) +- with open(out_fpath, "wb") as out_file: +- buf = entry.read(IO_BUF_SIZE) +- while buf: +- out_file.write(buf) ++ out_fpath = os.path.normpath(root + entry.name.lstrip(".")) ++ with open(out_fpath, "wb") as out_file: + buf = entry.read(IO_BUF_SIZE) ++ while buf: ++ out_file.write(buf) ++ buf = entry.read(IO_BUF_SIZE) ++ except (IOError, cpioarchive.CpioError) as e: ++ raise ExtractionError(e) + + # cleanup + archive.close() +-- +2.5.5 + diff --git a/SOURCES/not_fail_on_invalid_profiles_1365130.patch b/SOURCES/not_fail_on_invalid_profiles_1365130.patch new file mode 100644 index 0000000..e5c5204 --- /dev/null +++ b/SOURCES/not_fail_on_invalid_profiles_1365130.patch @@ -0,0 +1,74 @@ +From caa5b6a14c6c8175a3f4639df0863271564d16b2 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 23 Aug 2016 14:16:15 +0200 +Subject: [PATCH 2/3] Beware of the invalid profiles + +If a profile we cannot get pre-installation rules for is chosen we need to just +inform the user instead of crashing. + +Resolves: rhbz#1365130 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 8f94601..35f7a75 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -581,12 +581,12 @@ class OSCAPSpoke(NormalSpoke): + + """ + ++ self._message_store.clear() ++ + if not self._rule_data: + # RuleData instance not initialized, cannot do anything + return + +- self._message_store.clear() +- + messages = self._rule_data.eval_rules(self.data, self._storage, + report_only) + if not messages: +@@ -660,12 +660,6 @@ class OSCAPSpoke(NormalSpoke): + # no profile specified, nothing to do + return False + +- itr = self._profiles_store.get_iter_first() +- while itr: +- if self._profiles_store[itr][0] == profile_id: +- self._profiles_store.set_value(itr, 2, True) +- itr = self._profiles_store.iter_next(itr) +- + if self._using_ds: + ds = self._current_ds_id + xccdf = self._current_xccdf_id +@@ -678,10 +672,20 @@ class OSCAPSpoke(NormalSpoke): + xccdf = None + + # get pre-install fix rules from the content +- rules = common.get_fix_rules_pre(profile_id, +- self._addon_data.preinst_content_path, +- ds, xccdf, +- self._addon_data.preinst_tailoring_path) ++ try: ++ rules = common.get_fix_rules_pre(profile_id, ++ self._addon_data.preinst_content_path, ++ ds, xccdf, ++ self._addon_data.preinst_tailoring_path) ++ except common.OSCAPaddonError: ++ self._set_error("Failed to get rules for the profile '%s'" % profile_id) ++ return False ++ ++ itr = self._profiles_store.get_iter_first() ++ while itr: ++ if self._profiles_store[itr][0] == profile_id: ++ self._profiles_store.set_value(itr, 2, True) ++ itr = self._profiles_store.iter_next(itr) + + # parse and store rules with a clean RuleData instance + self._rule_data = rule_handling.RuleData() +-- +2.7.4 + diff --git a/SOURCES/noverifyssl_1263257.patch b/SOURCES/noverifyssl_1263257.patch new file mode 100644 index 0000000..9f409f0 --- /dev/null +++ b/SOURCES/noverifyssl_1263257.patch @@ -0,0 +1,51 @@ +From 8fd9cbf91bb7190450531b25a3806c5b7f69744e Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 17 May 2016 12:13:40 +0200 +Subject: [PATCH 03/13] Do not verify SSL if inst.noverifyssl was given + +inst.noverifyssl is a boot/cmdline option which should take precedence over +everything specified in the kickstart or UI. + +Resolves: rhbz#1263257 +--- + org_fedora_oscap/data_fetch.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/org_fedora_oscap/data_fetch.py b/org_fedora_oscap/data_fetch.py +index 21edd0f..7336025 100644 +--- a/org_fedora_oscap/data_fetch.py ++++ b/org_fedora_oscap/data_fetch.py +@@ -9,8 +9,14 @@ import os + import os.path + import pycurl + ++from pyanaconda.flags import flags as ana_flags ++ + from org_fedora_oscap import utils + ++import logging ++log = logging.getLogger("anaconda") ++ ++ + # everything else should be private + __all__ = ["fetch_data", "can_fetch_from"] + +@@ -150,8 +156,15 @@ def _fetch_http_ftp_data(url, out_file, ca_certs=None): + if ca_certs and protocol == "https": + # the strictest verification + curl.setopt(pycurl.SSL_VERIFYHOST, 2) ++ curl.setopt(pycurl.SSL_VERIFYPEER, 1) + curl.setopt(pycurl.CAINFO, ca_certs) + ++ # may be turned off by flags (specified on command line, take precedence) ++ if ana_flags.noverifyssl: ++ log.warning("Disabling SSL verification due to the noverifyssl flag") ++ curl.setopt(pycurl.SSL_VERIFYHOST, 0) ++ curl.setopt(pycurl.SSL_VERIFYPEER, 0) ++ + try: + with open(out_file, "w") as fobj: + curl.setopt(pycurl.WRITEDATA, fobj) +-- +2.5.5 + diff --git a/SOURCES/only_create_file_once_1263315.patch b/SOURCES/only_create_file_once_1263315.patch new file mode 100644 index 0000000..a783380 --- /dev/null +++ b/SOURCES/only_create_file_once_1263315.patch @@ -0,0 +1,30 @@ +From b4b856cf69d43a8018061453ec881757c81ba389 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 18:29:52 +0200 +Subject: [PATCH 09/13] Do not try to create a single file multiple times + +When extracting the archive, we may apparently get into a situation when we try +to extract a file or directory, that's already extracted/existing. Just skip +such a file/directory instead of causing a failure of the extraction process. + +Related: rhbz#1263315 +--- + org_fedora_oscap/common.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index 684f8ab..6f95b2d 100644 +--- a/org_fedora_oscap/common.py ++++ b/org_fedora_oscap/common.py +@@ -410,6 +410,8 @@ def _extract_rpm(rpm_path, root="/", ensure_has_files=None): + utils.ensure_dir_exists(out_dir) + + out_fpath = os.path.normpath(root + entry.name.lstrip(".")) ++ if os.path.exists(out_fpath): ++ continue + with open(out_fpath, "wb") as out_file: + buf = entry.read(IO_BUF_SIZE) + while buf: +-- +2.5.5 + diff --git a/SOURCES/oscap-anaconda-centos-paths.patch b/SOURCES/oscap-anaconda-centos-paths.patch deleted file mode 100644 index 609c90b..0000000 --- a/SOURCES/oscap-anaconda-centos-paths.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py -index f1aba4c..7873b50 100644 ---- org_fedora_oscap/common.py -+++ org_fedora_oscap/common.py -@@ -48,8 +48,8 @@ __all__ = ["run_oscap_remediate", "get_fix_rules_pre", "wait_and_fetch_net_data" - INSTALLATION_CONTENT_DIR = "/tmp/openscap_data/" - TARGET_CONTENT_DIR = "/root/openscap_data/" - --SSG_DIR = "/usr/share/xml/scap/ssg/fedora/" --SSG_XCCDF = "ssg-fedora-xccdf.xml" -+SSG_DIR = "/usr/share/xml/scap/ssg/content/" -+SSG_XCCDF = "ssg-centos7-xccdf.xml" - - RESULTS_PATH = utils.join_paths(TARGET_CONTENT_DIR, "eval_remediate_results.xml") - diff --git a/SOURCES/rootpw_fix_gui_1265116.patch b/SOURCES/rootpw_fix_gui_1265116.patch new file mode 100644 index 0000000..5a28c7c --- /dev/null +++ b/SOURCES/rootpw_fix_gui_1265116.patch @@ -0,0 +1,229 @@ +From 5e7a6e648c85cf923093ebac6448be82ba032448 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 10:58:54 +0200 +Subject: [PATCH 06/13] Allow fixing root password in graphical installations + +If the root password from kickstart is too short we can give users a chance to +enter a new (better) one in case of graphical installation. Text mode doesn't +allow for this because the root password configuration happens before the SCAP +content is evaluated. + +Resolves: rhbz#1265116 +--- + org_fedora_oscap/common.py | 3 ++- + org_fedora_oscap/gui/spokes/oscap.py | 39 +++++++++++++++++++++++++++++++----- + org_fedora_oscap/rule_handling.py | 29 ++++++++++++++++----------- + 3 files changed, 53 insertions(+), 18 deletions(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index d09ccbd..8b2e84f 100644 +--- a/org_fedora_oscap/common.py ++++ b/org_fedora_oscap/common.py +@@ -82,9 +82,10 @@ MESSAGE_TYPE_WARNING = 1 + MESSAGE_TYPE_INFO = 2 + + # namedtuple for messages returned from the rules evaluation ++# origin -- class (inherited from RuleHandler) that generated the message + # type -- one of the MESSAGE_TYPE_* constants defined above + # text -- the actual message that should be displayed, logged, ... +-RuleMessage = namedtuple("RuleMessage", ["type", "text"]) ++RuleMessage = namedtuple("RuleMessage", ["origin", "type", "text"]) + + def get_fix_rules_pre(profile, fpath, ds_id="", xccdf_id="", tailoring=""): + """ +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 3b8dbd7..42fc406 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -200,6 +200,11 @@ class OSCAPSpoke(NormalSpoke): + # leaving the spoke + self._rule_data = None + ++ # used for storing previously set root password if we need to remove it ++ # due to the chosen policy (so that we can put it back in case of ++ # revert) ++ self.__old_root_pw = None ++ + # used to check if the profile was changed or not + self._active_profile = None + +@@ -584,20 +589,43 @@ class OSCAPSpoke(NormalSpoke): + # no messages from the rules, add a message informing about that + if not self._active_profile: + # because of no profile +- message = common.RuleMessage(common.MESSAGE_TYPE_INFO, +- _("No profile selected")) ++ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, ++ _("No profile selected")) + else: + # because of no pre-inst rules +- message = common.RuleMessage(common.MESSAGE_TYPE_INFO, +- _("No rules for the pre-installation phase")) ++ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, ++ _("No rules for the pre-installation phase")) + self._add_message(message) + + # nothing more to be done + return + ++ self._resolve_rootpw_issues(messages, report_only) + for msg in messages: + self._add_message(msg) + ++ def _resolve_rootpw_issues(self, messages, report_only): ++ """Mitigate root password issues (which are not fatal in GUI)""" ++ fatal_rootpw_msgs = [msg for msg in messages ++ if msg.origin == rule_handling.PasswdRules and msg.type == common.MESSAGE_TYPE_FATAL] ++ if fatal_rootpw_msgs: ++ for msg in fatal_rootpw_msgs: ++ # cannot just change the message type because it is a namedtuple ++ messages.remove(msg) ++ messages.append(common.RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg.text)) ++ if not report_only: ++ self.__old_root_pw = self.data.rootpw.password ++ self.data.rootpw.password = None ++ self.__old_root_pw_seen = self.data.rootpw.password.seen ++ self.data.rootpw.password.seen = False ++ ++ def _revert_rootpw_changes(self): ++ if self.__old_root_pw is not None: ++ self.data.rootpw.password = self.__old_root_pw ++ self.data.rootpw.password.seen = self.__old_root_pw_seen ++ self.__old_root_pw = None ++ self.__old_root_pw_seen = None ++ + @gtk_action_wait + def _unselect_profile(self, profile_id): + """Unselects the given profile.""" +@@ -615,6 +643,7 @@ class OSCAPSpoke(NormalSpoke): + if self._rule_data: + # revert changes and clear rule_data (no longer valid) + self._rule_data.revert_changes(self.data, self._storage) ++ self._revert_rootpw_changes() + self._rule_data = None + + self._active_profile = None +@@ -769,7 +798,7 @@ class OSCAPSpoke(NormalSpoke): + + # no messages in the dry-run mode + self._message_store.clear() +- message = common.RuleMessage(common.MESSAGE_TYPE_INFO, ++ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, + _("Not applying security policy")) + self._add_message(message) + +diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py +index a7bed22..2d58efe 100644 +--- a/org_fedora_oscap/rule_handling.py ++++ b/org_fedora_oscap/rule_handling.py +@@ -223,6 +223,11 @@ class RuleData(RuleHandler): + if opts.passwd: + self._bootloader_rules.require_password() + ++ @property ++ def passwd_rules(self): ++ # needed for fixups in GUI ++ return self._passwd_rules ++ + class PartRules(RuleHandler): + """Simple class holding data from the rules affecting partitioning.""" + +@@ -324,7 +329,7 @@ class PartRule(RuleHandler): + if self._mount_point not in storage.mountpoints: + msg = _("%s must be on a separate partition or logical " + "volume" % self._mount_point) +- messages.append(RuleMessage(common.MESSAGE_TYPE_FATAL, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)) + + # mount point doesn't exist, nothing more can be found here + return messages +@@ -337,7 +342,7 @@ class PartRule(RuleHandler): + for opt in self._added_mount_options: + msg = msg_tmpl % { "mount_option": opt, + "mount_point": self._mount_point } +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + # mount point to be created during installation + target_mount_point = storage.mountpoints[self._mount_point] +@@ -352,7 +357,7 @@ class PartRule(RuleHandler): + "mount_point": self._mount_point } + + # add message for the mount option in any case +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + # add new options to the target mount point if not reporting only + if not report_only: +@@ -428,18 +433,18 @@ class PasswdRules(RuleHandler): + + msg = _("make sure to create password with minimal length of %d " + "characters") % self._minlen +- ret = [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] ++ ret = [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)] + else: + # root password set + if ksdata.rootpw.isCrypted: + msg = _("cannot check root password length (password is crypted)") + log.warning("cannot check root password length (password is crypted)") +- return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] ++ return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)] + elif len(ksdata.rootpw.password) < self._minlen: + # too short + msg = _("root password is too short, a longer one with at " + "least %d characters is required") % self._minlen +- ret = [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)] ++ ret = [RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)] + else: + ret = [] + +@@ -532,7 +537,7 @@ class PackageRules(RuleHandler): + for pkg in self._added_pkgs: + msg = _("package '%s' has been added to the list of to be installed " + "packages" % pkg) +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + # packages, that should be added + packages_to_add = (pkg for pkg in self._add_pkgs +@@ -546,7 +551,7 @@ class PackageRules(RuleHandler): + + msg = _("package '%s' has been added to the list of to be installed " + "packages" % pkg) +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + ### now do the same for the packages that should be excluded + +@@ -554,7 +559,7 @@ class PackageRules(RuleHandler): + for pkg in self._removed_pkgs: + msg = _("package '%s' has been added to the list of excluded " + "packages" % pkg) +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + # packages, that should be added + packages_to_remove = (pkg for pkg in self._remove_pkgs +@@ -568,7 +573,7 @@ class PackageRules(RuleHandler): + + msg = _("package '%s' has been added to the list of excluded " + "packages" % pkg) +- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg)) ++ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + + return messages + +@@ -618,8 +623,8 @@ class BootloaderRules(RuleHandler): + # Anaconda doesn't provide a way to set bootloader password, so + # users cannot do much about that --> we shouldn't stop the + # installation, should we? +- return [RuleMessage(common.MESSAGE_TYPE_WARNING, +- "boot loader password not set up")] ++ return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, ++ "boot loader password not set up")] + else: + return [] + +-- +2.5.5 + diff --git a/SOURCES/scrollable_profiles_view_1263582.patch b/SOURCES/scrollable_profiles_view_1263582.patch new file mode 100644 index 0000000..c5b06cd --- /dev/null +++ b/SOURCES/scrollable_profiles_view_1263582.patch @@ -0,0 +1,103 @@ +From 582a39f0bd5bab5be2f72a8b6178b4bc1dacecd3 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 25 May 2016 19:16:19 +0200 +Subject: [PATCH 10/13] Make the list of profiles scrollable + +This prevents really weird things from happening in case there are many profiles +or even just a few with long descriptions. + +Resolves: rhbz#1263582 +--- + org_fedora_oscap/gui/spokes/oscap.glade | 69 ++++++++++++++++++--------------- + 1 file changed, 38 insertions(+), 31 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade +index 49c7dae..3737eba 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.glade ++++ b/org_fedora_oscap/gui/spokes/oscap.glade +@@ -264,44 +264,51 @@ + + + +- ++ + True + True +- GDK_BUTTON_PRESS_MASK | GDK_STRUCTURE_MASK +- True +- True +- profilesStore +- False +- False +- 0 +- +- +- +- +- +- ++ in + +- +- Profile +- True ++ ++ True ++ True ++ GDK_BUTTON_PRESS_MASK | GDK_STRUCTURE_MASK ++ True ++ True ++ profilesStore ++ False ++ False ++ 0 ++ ++ ++ ++ ++ ++ + +- +- 110 +- word +- 110 +- 110 ++ ++ Profile ++ True ++ ++ ++ 110 ++ word ++ 110 ++ 110 ++ ++ ++ 1 ++ ++ + +- +- 1 +- + +- +- +- +- +- Selected + +- ++ ++ Selected ++ ++ ++ ++ + + + +-- +2.5.5 + diff --git a/SOURCES/seen_property_fix_1357603.patch b/SOURCES/seen_property_fix_1357603.patch new file mode 100644 index 0000000..2e00459 --- /dev/null +++ b/SOURCES/seen_property_fix_1357603.patch @@ -0,0 +1,38 @@ +From 1d9bfd13145273c14aac475fccc6b50b9957bc4b Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 23 Aug 2016 12:40:42 +0200 +Subject: [PATCH 1/3] Properly set the seen property for root passwords + +It is the property of the whole kickstart command object not the password +string. + +Resolves: rhbz#1357603 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 0539d5c..8f94601 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -620,13 +620,13 @@ class OSCAPSpoke(NormalSpoke): + if not report_only: + self.__old_root_pw = self.data.rootpw.password + self.data.rootpw.password = None +- self.__old_root_pw_seen = self.data.rootpw.password.seen +- self.data.rootpw.password.seen = False ++ self.__old_root_pw_seen = self.data.rootpw.seen ++ self.data.rootpw.seen = False + + def _revert_rootpw_changes(self): + if self.__old_root_pw is not None: + self.data.rootpw.password = self.__old_root_pw +- self.data.rootpw.password.seen = self.__old_root_pw_seen ++ self.data.rootpw.seen = self.__old_root_pw_seen + self.__old_root_pw = None + self.__old_root_pw_seen = None + +-- +2.7.4 + diff --git a/SOURCES/stderr_not_fatal_1360765.patch b/SOURCES/stderr_not_fatal_1360765.patch new file mode 100644 index 0000000..77c9a06 --- /dev/null +++ b/SOURCES/stderr_not_fatal_1360765.patch @@ -0,0 +1,39 @@ +From fb9c485418e59cfead3ab28d8ff8cfb7a19bba48 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 23 Aug 2016 22:19:18 +0200 +Subject: [PATCH 3/3] Don't require blank stderr when running the oscap tool + +It may report some warnings and complete successfully. It should be safe for us +to rely on the exit code. + +Resolves: rhbz#1355756 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/common.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index 6f95b2d..1b3eaa5 100644 +--- a/org_fedora_oscap/common.py ++++ b/org_fedora_oscap/common.py +@@ -147,7 +147,7 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="", + + # pylint thinks Popen has no attribute returncode + # pylint: disable-msg=E1101 +- if proc.returncode != 0 or stderr: ++ if proc.returncode != 0: + msg = "Failed to generate fix rules with the oscap tool: %s" % stderr + raise OSCAPaddonError(msg) + +@@ -224,7 +224,7 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="", + # save stdout? + # pylint thinks Popen has no attribute returncode + # pylint: disable-msg=E1101 +- if proc.returncode not in (0, 2) or stderr: ++ if proc.returncode not in (0, 2): + # 0 -- success; 2 -- no error, but checks/remediation failed + msg = "Content evaluation and remediation with the oscap tool "\ + "failed: %s" % stderr +-- +2.7.4 + diff --git a/SOURCES/use_system_category_1269211.patch b/SOURCES/use_system_category_1269211.patch new file mode 100644 index 0000000..29a2b09 --- /dev/null +++ b/SOURCES/use_system_category_1269211.patch @@ -0,0 +1,100 @@ +From 52abf43ad1869bf1f0893f70a8c05b0b13d477e1 Mon Sep 17 00:00:00 2001 +From: Martin Kolman +Date: Tue, 17 May 2016 16:28:51 +0200 +Subject: [PATCH 13/13] Use the System hub category provided by Anaconda + +Use the Anaconda provides System category - that way the +OSCAP addon the more efficiently fit on the screen, +especially on low resolution displays. + +Also remove the Security category as it is no longer used anywhere. + +Related: rhbz#1269211 +--- + org_fedora_oscap/categories/__init__.py | 0 + org_fedora_oscap/categories/security.py | 39 --------------------------------- + org_fedora_oscap/gui/spokes/oscap.py | 4 ++-- + 3 files changed, 2 insertions(+), 41 deletions(-) + delete mode 100644 org_fedora_oscap/categories/__init__.py + delete mode 100644 org_fedora_oscap/categories/security.py + +diff --git a/org_fedora_oscap/categories/__init__.py b/org_fedora_oscap/categories/__init__.py +deleted file mode 100644 +index e69de29..0000000 +diff --git a/org_fedora_oscap/categories/security.py b/org_fedora_oscap/categories/security.py +deleted file mode 100644 +index 083cfb7..0000000 +--- a/org_fedora_oscap/categories/security.py ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# Copyright (C) 2013 Red Hat, Inc. +-# +-# This copyrighted material is made available to anyone wishing to use, +-# modify, copy, or redistribute it subject to the terms and conditions of +-# the GNU General Public License v.2, or (at your option) any later version. +-# This program is distributed in the hope that it will be useful, but WITHOUT +-# ANY WARRANTY expressed or implied, including the implied warranties of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +-# Public License for more details. You should have received a copy of the +-# GNU General Public License along with this program; if not, write to the +-# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +-# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the +-# source code or documentation are not subject to the GNU General Public +-# License and may only be used or replicated with the express permission of +-# Red Hat, Inc. +-# +-# Red Hat Author(s): Vratislav Podzimek +-# +- +-N_ = lambda x: x +- +-from pyanaconda.ui.categories import SpokeCategory +- +-__all__ = ["SecurityCategory"] +- +-class SecurityCategory(SpokeCategory): +- """ +- Class for the Hello world category. Category groups related spokes +- together. Both logically and visually (creates a box on a hub). It +- references a class of the hub it is supposed to be placed on. On the +- other hand spokes reference a class of the category they should be +- included in. +- +- """ +- +- displayOnHubGUI = "SummaryHub" +- displayOnHubTUI = "SummaryHub" +- title = N_("SECURITY") +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 42fc406..e488a1b 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -27,7 +27,6 @@ N_ = lambda x: x + + # the path to addons is in sys.path so we can import things + # from org_fedora_oscap +-from org_fedora_oscap.categories.security import SecurityCategory + from org_fedora_oscap import common + from org_fedora_oscap import data_fetch + from org_fedora_oscap import rule_handling +@@ -41,6 +40,7 @@ from pyanaconda.ui.gui.spokes import NormalSpoke + from pyanaconda.ui.communication import hubQ + from pyanaconda.ui.gui.utils import gtk_action_wait, really_hide, really_show + from pyanaconda.ui.gui.utils import set_treeview_selection, fire_gtk_action, GtkActionList ++from pyanaconda.ui.categories.system import SystemCategory + + from pykickstart.errors import KickstartValueError + +@@ -158,7 +158,7 @@ class OSCAPSpoke(NormalSpoke): + helpFile = "SecurityPolicySpoke.xml" + + # category this spoke belongs to +- category = SecurityCategory ++ category = SystemCategory + + # spoke icon (will be displayed on the hub) + # preferred are the -symbolic icons as these are used in Anaconda's spokes +-- +2.5.5 + diff --git a/SPECS/oscap-anaconda-addon.spec b/SPECS/oscap-anaconda-addon.spec index 14c0de0..5cf6d1a 100644 --- a/SPECS/oscap-anaconda-addon.spec +++ b/SPECS/oscap-anaconda-addon.spec @@ -1,6 +1,6 @@ Name: oscap-anaconda-addon Version: 0.7 -Release: 8%{?dist}.1 +Release: 12%{?dist} Summary: Anaconda addon integrating OpenSCAP to the installation process License: GPLv2+ @@ -14,7 +14,7 @@ URL: https://git.fedorahosted.org/cgit/oscap-anaconda-addon.git # git clone https://github.com/OpenSCAP/oscap-anaconda-addon.git Source0: %{name}-%{version}.tar.gz -Patch0: oscap-anaconda-centos-paths.patch +Patch0: change_ssg_paths.patch Patch1: word_wrap_profile_desc_1236644.patch Patch2: newline_after_addon_section_1238267.patch Patch3: no_profile_handling_1235750.patch @@ -42,6 +42,24 @@ Patch24: oscap_info_continue_1255075.patch Patch25: ds_xccdf_ids_hide_1254876.patch Patch26: no_profile_no_data_dir_1254973.patch Patch27: short_root_pw_1263254.patch +Patch28: new_method_signature_1288636.patch +Patch29: catch_fetch_error_1263239.patch +Patch30: noverifyssl_1263257.patch +Patch31: just_report_text_mode_1263207.patch +Patch32: enforce_rootpw_1238281.patch +Patch33: rootpw_fix_gui_1265116.patch +Patch34: disable_yum_gpg_1263216.patch +Patch35: no_crash_extract_error_1263315.patch +Patch36: only_create_file_once_1263315.patch +Patch37: scrollable_profiles_view_1263582.patch +Patch38: changes_view_scrollable_1263582.patch +Patch39: anaconda_settle_1265552.patch +Patch40: use_system_category_1269211.patch +Patch41: clear_error_info_1349446.patch +Patch42: seen_property_fix_1357603.patch +Patch43: not_fail_on_invalid_profiles_1365130.patch +Patch44: stderr_not_fatal_1360765.patch +Patch45: datastream_tailoring_1364929.patch BuildArch: noarch BuildRequires: gettext @@ -90,6 +108,24 @@ content. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 %build @@ -107,8 +143,49 @@ make install DESTDIR=%{buildroot} %doc COPYING ChangeLog README %changelog -* Mon Dec 7 2015 Karanbir Singh - 0.7-8.el7.centos.1 -- Ensure its checking the centos path ( Brian Stinson ) +* Tue Sep 13 2016 Vratislav Podzimek - 0.7-12 +- Properly handle tailoring files for datastreams + Resolves: rhbz#1364929 + +* Thu Aug 25 2016 Vratislav Podzimek - 0.7-11 +- Don't require blank stderr when running the oscap tool + Resolves: rhbz#1360765 +- Beware of the invalid profiles + Resolves: rhbz#1365130 +- Properly set the seen property for root passwords + Resolves: rhbz#1357603 + +* Thu Jun 30 2016 Vratislav Podzimek - 0.7-10 +- Clear spoke's info before setting an error + Resolves: rhbz#1349446 + +* Wed Jun 1 2016 Vratislav Podzimek - 0.7-9 +- Use the System hub category provided by Anaconda + Resolves: rhbz#1269211 +- Wait for Anaconda to settle before evaluation + Resolves: rhbz#1265552 +- Make the changes overview scrollable and smaller + Related: rhbz#1263582 +- Make the list of profiles scrollable + Resolves: rhbz#1263582 +- Do not try to create a single file multiple times + Related: rhbz#1263315 +- Avoid crashes on extraction errors + Resolves: rhbz#1263315 +- Disable GPG checks when installing content to the system + Resolves: rhbz#1263216 +- Allow fixing root password in graphical installations + Resolves: rhbz#1265116 +- Enforce the minimal root password length + Resolves: rhbz#1238281 +- Just report misconfiguration instead of crashing in text mode + Resolves: rhbz#1263207 +- Do not verify SSL if inst.noverifyssl was given + Resolves: rhbz#1263257 +- Also catch data_fetch.DataFetchError when trying to get content + Resolves: rhbz#1263239 +- Use new method signature with payload class + Related: rhbz#1288636 * Wed Sep 16 2015 Vratislav Podzimek - 0.7-8 - Do not remove the root password behind user's back