diff options
-rw-r--r-- | dispatch.py | 2 | ||||
-rw-r--r-- | instdata.py | 4 | ||||
-rw-r--r-- | iw/firewall_gui.py | 21 | ||||
-rw-r--r-- | security.py | 66 | ||||
-rw-r--r-- | textw/firewall_text.py | 2 |
5 files changed, 81 insertions, 14 deletions
diff --git a/dispatch.py b/dispatch.py index dbe2a6ff3..4cb04a0ea 100644 --- a/dispatch.py +++ b/dispatch.py @@ -99,7 +99,7 @@ installSteps = [ "id.diskset")), ("networkdevicecheck", networkDeviceCheck, ("id.network", "dispatch")), ("network", ("id.network", "dir", "intf")), - ("firewall", ("intf", "id.network", "id.firewall")), + ("firewall", ("intf", "id.network", "id.firewall", "id.security")), ("languagesupport", ("id.langSupport",)), ("timezone", ("id.instLanguage", "id.timezone")), ("accounts", ("intf", "id.rootPassword")), diff --git a/instdata.py b/instdata.py index 272d9770f..0d9e9b7fa 100644 --- a/instdata.py +++ b/instdata.py @@ -18,6 +18,7 @@ import string import language import network import firewall +import security import timezone import desktop import users @@ -57,6 +58,7 @@ class InstallData: self.instClass = None self.network = network.Network() self.firewall = firewall.Firewall() + self.security = security.Security() self.timezone = timezone.Timezone() self.accounts = users.Accounts() self.rootPassword = users.RootPassword () @@ -117,6 +119,7 @@ class InstallData: self.timezone.write (instPath) self.auth.write (instPath) self.firewall.write (instPath) + self.security.write (instPath) self.rootPassword.write (instPath, self.auth) self.accounts.write (instPath, self.auth) @@ -171,6 +174,7 @@ class InstallData: self.network.writeKS(f) self.rootPassword.writeKS(f, self.auth) self.firewall.writeKS(f) + self.security.writeKS(f) self.auth.writeKS(f) self.timezone.writeKS(f) self.bootloader.writeKS(f) diff --git a/iw/firewall_gui.py b/iw/firewall_gui.py index cd2832816..6c42747ef 100644 --- a/iw/firewall_gui.py +++ b/iw/firewall_gui.py @@ -27,6 +27,8 @@ class FirewallWindow (InstallWindow): InstallWindow.__init__ (self, ics) def getNext (self): + self.security.setSELinux(self.se_option_menu.get_history()) + if self.disabled_radio.get_active (): rc2 = self.intf.messageWindow(_("Warning - No Firewall"), _("If this system is attached directly to the Internet or " @@ -134,21 +136,15 @@ class FirewallWindow (InstallWindow): else: # all the port data looks good self.firewall.portlist = portlist - if self.se_option_menu.get_history() == 0: - self.firewall.selinux = "enforcing" - elif self.se_option_menu.get_history() == 1: - self.firewall.selinux = "permissive" - elif self.se_option_menu.get_history() == 2: - self.firewall.selinux = "disabled" - def activate_firewall (self, widget): if self.disabled_radio.get_active (): self.table.set_sensitive(gtk.FALSE) else: self.table.set_sensitive(gtk.TRUE) - def getScreen (self, intf, network, firewall): + def getScreen (self, intf, network, firewall, security): self.firewall = firewall + self.security = security self.network = network self.intf = intf @@ -276,8 +272,7 @@ class FirewallWindow (InstallWindow): self.activate_firewall(None) - self.table.attach (gtk.HSeparator(), 0, 2, y, y + 1, gtk.FILL, gtk.FILL, 5, 5) - y = y + 1 + box.pack_start (gtk.HSeparator(), gtk.FALSE) label = gtk.Label(_("_Security Enhanced Linux (SELinux) Extentions:")) label.set_use_underline(gtk.TRUE) @@ -285,17 +280,19 @@ class FirewallWindow (InstallWindow): label.set_mnemonic_widget(self.se_option_menu) se_menu = gtk.Menu() - for i in (_("Active"), _("Warn"), _("Disabled")): + for i in (_("Disabled"), _("Warn"), _("Active")): se_menu.add(gtk.MenuItem(i)) self.se_option_menu.set_menu(se_menu) + + self.se_option_menu.set_history(self.security.getSELinux()) hbox = gtk.HBox() hbox.set_spacing(8) hbox.pack_start(label, gtk.FALSE) hbox.pack_start(self.se_option_menu, gtk.TRUE) - self.table.attach (hbox, 0, 2, y, y + 1, gtk.FILL, gtk.FILL, 5, 5) + box.pack_start(hbox, gtk.FALSE) return box diff --git a/security.py b/security.py new file mode 100644 index 000000000..79d74dd67 --- /dev/null +++ b/security.py @@ -0,0 +1,66 @@ +# +# security.py - security install data and installation +# +# Jeremy Katz <katzj@redhat.com> +# +# Copyright 2004 Red Hat, Inc. +# +# This software may be freely redistributed under the terms of the GNU +# general public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +import os, string +from flags import flags + +from rhpl.log import log + +SEL_DISABLED = 0 +SEL_PERMISSIVE = 1 +SEL_ENFORCING = 2 + +selinux_states = { SEL_DISABLED: "disabled", + SEL_ENFORCING: "enforced", + SEL_PERMISSIVE: "permissive" } + +class Security: + def __init__(self): + self.selinux = SEL_ENFORCING + + def setSELinux(self, val): + if not selinux_states.has_key(val): + raise ValueError, "Setting to invalid SELinux state: %s" %(val,) + + self.selinux = val + + def getSELinux(self): + return self.selinux + + def writeKS(self, f): + # FIXME: we don't support setting this up via kickstart yet + pass + + def write(self, instPath): + args = [ "/usr/sbin/lokkit", "--quiet", "--nostart" ] + + if not selinux_states.has_key(self.selinux): + log("ERROR: unknown selinux state: %s" %(self.selinux,)) + return + + args = args + [ "--selinux=%s" %(selinux_states[self.selinux],) ] + + try: + if flags.setupFilesystems: + iutil.execWithRedirect(args[0], args, root = instPath, + stdout = None, stderr = None) + else: + log("would have run %s", args) + except RuntimeError, msg: + log ("lokkit run failed: %s", msg) + except OSError, (errno, msg): + log ("lokkit run failed: %s", msg) + + diff --git a/textw/firewall_text.py b/textw/firewall_text.py index b0c3730ff..be780fc25 100644 --- a/textw/firewall_text.py +++ b/textw/firewall_text.py @@ -18,7 +18,7 @@ from constants_text import * from rhpl.translate import _ class FirewallWindow: - def __call__(self, screen, intf, network, firewall): + def __call__(self, screen, intf, network, firewall, security): self.intf = intf bb = ButtonBar (screen, (TEXT_OK_BUTTON, (_("Customize"), "customize"), TEXT_BACK_BUTTON)) |