diff options
| -rw-r--r-- | ChangeLog | 16 | ||||
| -rw-r--r-- | dispatch.py | 1 | ||||
| -rw-r--r-- | firewall.py | 37 | ||||
| -rwxr-xr-x | gui.py | 1 | ||||
| -rw-r--r-- | installclass.py | 22 | ||||
| -rw-r--r-- | iw/firewall_gui.py | 183 | ||||
| -rw-r--r-- | iw/network_gui.py | 7 | ||||
| -rw-r--r-- | kickstart.py | 3 | ||||
| -rw-r--r-- | text.py | 2 | ||||
| -rw-r--r-- | textw/firewall_text.py | 203 | ||||
| -rw-r--r-- | textw/network_text.py | 8 |
11 files changed, 35 insertions, 448 deletions
@@ -1,3 +1,19 @@ +2005-07-21 Chris Lumens <clumens@redhat.com> + + * dispatch.py (installSteps): Remove firewall step. + * gui.py (stepToClass): Likewise. + * kickstart.py (Kickstart.setSteps): Likewise. + * text.py (stepToClasses): Likewise. + * firewall.py: Remove Service class. + * installclass.py (BaseInstallClass.setFirewall): Interactive + kickstart installs can no longer see a firewall config screen, so + simplify this method. + * iw/network_gui.py (NetworkWindow.getNext): Initialize firewall and + SELinux. + * textw/network_text.py (NetworkGlobalWindow.__call__): Likewise. + * iw/firewall_gui.py: Removed. + * textw/firewall_text.py: Likewise. + 2005-07-21 Bill Nottingham <notting@redhat.com> * network.py: Use the right enum. Not that it makes diff --git a/dispatch.py b/dispatch.py index e20c46a61..c1154db6f 100644 --- a/dispatch.py +++ b/dispatch.py @@ -103,7 +103,6 @@ installSteps = [ "id.diskset")), ("networkdevicecheck", networkDeviceCheck, ("id.network", "dispatch")), ("network", ("id.network", "dir", "intf", "id")), - ("firewall", ("intf", "id.network", "id.firewall", "id.security")), ("timezone", ("id.instLanguage", "id.timezone")), ("accounts", ("intf", "id.rootPassword")), ("authentication", ("id.auth",)), diff --git a/firewall.py b/firewall.py index 10ddf7e77..08f990248 100644 --- a/firewall.py +++ b/firewall.py @@ -22,40 +22,11 @@ from flags import flags from rhpl.log import log from rhpl.translate import _, N_ -class Service: - def __init__ (self, key, name, ports): - self.key = key - self.name = name - self.allowed = 0 - - if type(ports) == type(""): - self.ports = [ ports ] - else: - self.ports = ports - - - def set_enabled(self, val): - self.allowed = val - - def get_enabled(self): - return self.allowed - - def get_name(self): - return self.name - - def get_ports(self): - return self.ports - class Firewall: def __init__ (self): self.enabled = 1 self.trustdevs = [] self.portlist = [] - self.services = [ Service("ssh", N_("Remote Login (SSH)"), "22:tcp"), - Service("http", N_("Web Server (HTTP, HTTPS)"), "80:tcp"), - Service("ftp", N_("File Transfer (FTP)"), "21:tcp"), - - Service("smtp", N_("Mail Server (SMTP)"), "25:tcp") ] def writeKS(self, f): f.write("firewall") @@ -72,16 +43,11 @@ class Firewall: args = [] if self.enabled: - args.append ("--enabled") + args.append("--enabled") else: args.append("--disabled") return args - for service in self.services: - if service.get_enabled(): - for p in service.get_ports(): - args = args + [ "--port=%s" %(p,) ] - for dev in self.trustdevs: args = args + [ "--trust=%s" %(dev,) ] @@ -93,7 +59,6 @@ class Firewall: def write (self, instPath): args = [ "/usr/sbin/lokkit", "--quiet", "--nostart", "-f" ] - args = args + self.getArgList() try: @@ -62,7 +62,6 @@ stepToClass = { "bootloaderadvanced": ("bootloader_advanced_gui", "AdvancedBootloaderWindow"), "upgbootloader": ("upgrade_bootloader_gui", "UpgradeBootloaderWindow"), "network" : ("network_gui", "NetworkWindow"), - "firewall" : ("firewall_gui", "FirewallWindow"), "timezone" : ("timezone_gui", "TimezoneWindow"), "accounts" : ("account_gui", "AccountWindow"), "authentication" : ("auth_gui", "AuthWindow"), diff --git a/installclass.py b/installclass.py index ca90e279d..5d56a645b 100644 --- a/installclass.py +++ b/installclass.py @@ -135,7 +135,6 @@ class BaseInstallClass: "bootloader", "networkdevicecheck", "network", - "firewall", "timezone", "accounts", "readcomps", @@ -365,24 +364,9 @@ class BaseInstallClass: def setFirewall(self, id, enable = 1, trusts = [], ports = []): id.firewall.enabled = enable id.firewall.trustdevs = trusts - # this is a little ugly, but we want to let setting a service - # like --ssh enable the service in case they're doing an interactive - # kickstart install - for port in ports: - found = 0 - for s in id.firewall.services: - p = s.get_ports() - # don't worry about the ones that are more than one, - # this is really for legacy use only - if len(p) > 1: - continue - if p[0] == port: - s.set_enabled(1) - found = 1 - break - - if not found: - id.firewall.portlist.append(port) + + for port in ports: + id.firewall.portlist.append (port) def setMiscXSettings(self, id, depth = None, resolution = None, desktop = None, runlevel = None): diff --git a/iw/firewall_gui.py b/iw/firewall_gui.py deleted file mode 100644 index 3c64f0fb2..000000000 --- a/iw/firewall_gui.py +++ /dev/null @@ -1,183 +0,0 @@ -# -# firewall_gui.py: firewall setup screen -# -# Copyright 2001-2004 Red Hat, Inc. -# -# This software may be freely redistributed under the terms of the GNU -# library public license. -# -# You should have received a copy of the GNU Library Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# - -import checklist -import gtk -import gui -from iw_gui import * -from isys import * -from rhpl.translate import _, N_ -from flags import flags -from constants import * - -selopts = [ N_("Disabled"), N_("Warn"), N_("Active") ] - -class FirewallWindow (InstallWindow): - - windowTitle = N_("Firewall") - htmlTag = "securitylevel" - - def __init__ (self, ics): - InstallWindow.__init__ (self, ics) - - def getNext (self): - self.security.setSELinux(self.selinux_combo.get_active()) - - if self.disabled_radio.get_active (): - rc2 = self.intf.messageWindow(_("Warning - No Firewall"), - _("If this system is attached directly to the Internet or " - "is on a large public network, it is recommended that a " - "firewall be configured to help prevent unauthorized " - "access. However, you have selected not to " - "configure a firewall. Choose \"Proceed\" to continue " - "without a firewall."), - type="custom", custom_icon="warning", - custom_buttons=[_("_Configure Firewall"), _("_Proceed")]) - - if rc2 == 0: - raise gui.StayOnScreen - self.firewall.enabled = 0 - else: - self.firewall.enabled = 1 - - count = 0 - for service in self.firewall.services: - val = self.incoming.get_active(count) - service.set_enabled(val) - count = count + 1 - - def activate_firewall (self, widget): - if self.disabled_radio.get_active (): - self.table.set_sensitive(False) - else: - self.table.set_sensitive(True) - - def getScreen (self, intf, network, firewall, security): - self.firewall = firewall - self.security = security - self.network = network - self.intf = intf - - self.devices = self.network.available().keys() - self.devices.sort() - - self.netCBs = {} - - box = gtk.VBox (False, 5) - box.set_border_width (5) - - label = gui.WrappingLabel (_("A firewall can help prevent " - "unauthorized access to your computer " - "from the outside world. Would you like " - "to enable a firewall?")) - label.set_alignment (0.0, 0) - label.set_size_request(450, -1) - - box.pack_start(label, False) - - vbox = gtk.VBox (False) - - self.disabled_radio = gtk.RadioButton (None, (_("N_o firewall"))) - self.enabled_radio = gtk.RadioButton (self.disabled_radio, - (_("_Enable firewall"))) - self.disabled_radio.connect("clicked", self.activate_firewall) - self.enabled_radio.connect("clicked", self.activate_firewall) - - vbox.pack_start (self.disabled_radio) - vbox.pack_start (self.enabled_radio) - - a = gtk.Alignment () - a.add (vbox) - a.set (0.3, 0, 0.7, 1.0) - - box.pack_start (a, False, 5) - - self.table = gtk.Table (2, 8) - box.pack_start (self.table, False, 5) - - y = 0 - label = gui.WrappingLabel (_("You can use a firewall to allow " - "access to specific services on your " - "computer from other computers. Which " - "services, if any, do you wish to " - "allow access to ?")) - label.set_size_request(400, -1) - label.set_alignment(0.0, 0.0) - self.table.attach(label, 0, 2, y, y + 1, gtk.EXPAND | gtk.FILL, gtk.FILL, 5, 5) - - y = y + 1 - hbox = gtk.HBox(False, 10) - self.incoming = checklist.CheckList(1) - self.incoming.set_size_request(-1, 125) - - incomingSW = gtk.ScrolledWindow() - incomingSW.set_border_width(5) - incomingSW.set_policy(gtk.POLICY_NEVER, gtk.POLICY_AUTOMATIC) - incomingSW.set_shadow_type(gtk.SHADOW_IN) - incomingSW.add(self.incoming) - - for serv in self.firewall.services: - self.incoming.append_row ( (_(serv.get_name()), serv), - serv.get_enabled() ) - - self.table.attach (incomingSW, 0, 2, y, y + 1, gtk.EXPAND|gtk.FILL, gtk.FILL, 5, 5) - - if self.firewall.enabled == 0: - self.disabled_radio.set_active (True) - else: - self.enabled_radio.set_active(True) - - self.activate_firewall(None) - - # SELinux widgets - selbox = gtk.VBox() - selbox.set_spacing(8) - - l = gui.WrappingLabel(_("Security Enhanced Linux (SELinux) " - "provides finer-grained " - "security controls than those available " - "in a traditional Linux system. It can " - "be set up in a disabled state, a state " - "which only warns about things which would " - "be denied, or a fully active state.")) - l.set_size_request(400, -1) - l.set_alignment(0.0, 0.0) - - selbox.pack_start(l, False) - - label = gtk.Label(_("Enable _SELinux?:")) - label.set_use_underline(True) - self.selinux_combo = gtk.combo_box_new_text() - label.set_mnemonic_widget(self.selinux_combo) - - for i in selopts: - self.selinux_combo.append_text(_(i)) - - self.selinux_combo.set_active(self.security.getSELinux()) - - hbox = gtk.HBox() - hbox.set_spacing(8) - hbox.pack_start(label, False) - hbox.pack_start(self.selinux_combo, False) - selbox.pack_start(hbox) - - if flags.selinux == 0: - selbox.set_sensitive(False) - - if (SELINUX_DEFAULT == 1) or flags.selinux: - box.pack_start (gtk.HSeparator(), False) - box.pack_start(selbox, False) - - return box - - diff --git a/iw/network_gui.py b/iw/network_gui.py index c5b4da9f9..236ebe529 100644 --- a/iw/network_gui.py +++ b/iw/network_gui.py @@ -122,6 +122,13 @@ class NetworkWindow(InstallWindow): self.network.hostname = newHostname self.network.overrideDHCPhostname = override + # Initialize firewall and SELinux settings to our strict defaults + # but only if we're not doing a kickstart install. + if self.id.instClass.name != "kickstart": + import security + self.id.instClass.setFirewall (self.id, ports = ["22:tcp"]) + self.id.instClass.setSELinux (self.id, security.SEL_ENFORCING) + return None def DHCPtoggled(self, widget, (dev, table)): diff --git a/kickstart.py b/kickstart.py index 1fe004940..774bbd4f4 100644 --- a/kickstart.py +++ b/kickstart.py @@ -1404,9 +1404,6 @@ class Kickstart(BaseInstallClass): dispatch.skipStep("network") dispatch.skipStep("installtype") - # skipping firewall by default, disabled by default - dispatch.skipStep("firewall") - for n in self.skipSteps: dispatch.skipStep(n) for n in self.showSteps: @@ -59,8 +59,6 @@ stepToClasses = { "BootloaderLocationWindow")), "network" : ("network_text", ("NetworkDeviceWindow", "NetworkGlobalWindow", "HostnameWindow")), - "firewall" : ("firewall_text", ("FirewallWindow", - "SELinuxWindow")), "timezone" : ("timezone_text", "TimezoneWindow"), "accounts" : ("userauth_text", "RootPasswordWindow"), "authentication" : ("userauth_text", ("AuthConfigWindow")), diff --git a/textw/firewall_text.py b/textw/firewall_text.py deleted file mode 100644 index 7ae0acb67..000000000 --- a/textw/firewall_text.py +++ /dev/null @@ -1,203 +0,0 @@ -# -# firewall_text.py: text mode firewall setup -# -# Bill Nottingham <notting@redhat.com> -# Jeremy Katz <katzj@redhat.com> -# -# Copyright 2001-2004 Red Hat, Inc. -# -# This software may be freely redistributed under the terms of the GNU -# library public license. -# -# You should have received a copy of the GNU Library Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# - -from snack import * -from constants_text import * -from rhpl.translate import _ -from rhpl.log import log -from flags import flags - -class FirewallWindow: - def __call__(self, screen, intf, network, firewall, security): - self.intf = intf - - bb = ButtonBar (screen, (TEXT_OK_BUTTON, (_("Customize"), "customize"), TEXT_BACK_BUTTON)) - - toplevel = GridFormHelp (screen, _("Firewall"), - "securitylevel", 1, 5) - text = _("A firewall can help prevent unauthorized access to your " - "computer from the outside world. Would you like to enable " - "a firewall?") - toplevel.add (TextboxReflowed(50, text), 0, 0, (0, 0, 0, 1)) - - toplevel.add (bb, 0, 4, (0, 0, 0, 0), growx = 1) - - smallGrid = Grid(2,1) - - bigGrid = Grid(2,15) - - typeGrid = Grid(2,1) - - self.enabled = SingleRadioButton(_("Enable firewall"), None, firewall.enabled) - self.enabled.setCallback(self.radiocb, (firewall, self.enabled)) - typeGrid.setField (self.enabled, 0, 0, (0, 0, 1, 0), anchorLeft = 1) - self.disabled = SingleRadioButton(_("No firewall"), self.enabled, not firewall.enabled) - self.disabled.setCallback(self.radiocb, (firewall, self.disabled)) - typeGrid.setField (self.disabled, 1, 0 , (0, 0, 1, 0), anchorRight = 1) - - smallGrid.setField (typeGrid, 0, 0, (1, 0, 0, 1), anchorLeft = 1, growx = 1) - - currentRow = 1 - bigGrid.setField (Label(_("Allow incoming:")), 0, currentRow, (0, 0, 0, 0), - anchorTop = 1) - - self.portGrid = Grid(1, len(firewall.services)) - # list of Service, Checkbox tuples - self.portboxes = [] - count = 0 - for serv in firewall.services: - s = Checkbox(_(serv.get_name()), serv.get_enabled()) - self.portboxes.append((serv, s)) - self.portGrid.setField (s, 0, count, (0, 0, 1, 0), anchorLeft = 1) - count += 1 - - bigGrid.setField (self.portGrid, 1, currentRow, (1, 0, 0, 0), anchorLeft = 1) - bigGrid.setField (Label(""), 0, currentRow + 1, (0, 0, 0, 1), anchorLeft = 1) - - toplevel.add(smallGrid, 0, 1, (0, 0, 0, 0), anchorLeft = 1) - if self.disabled.selected(): - self.radiocb((firewall, self.disabled)) - - while 1: - result = toplevel.run () - - rc = bb.buttonPressed (result) - - if rc == TEXT_BACK_CHECK: - screen.popWindow() - return INSTALL_BACK - - if rc == "customize": - - if self.disabled.selected(): - ButtonChoiceWindow(screen, _("Invalid Choice"), - _("You cannot customize a disabled firewall."), - buttons = [ TEXT_OK_STR ], width = 40) - else: - popbb = ButtonBar (screen, (TEXT_OK_BUTTON,)) - - poplevel = GridFormHelp (screen, _("Customize Firewall Configuration"), - "securitycustom", 1, 5) - text = _("With a firewall, you may wish to allow access " - "to specific services on your computer from " - "others. Allow access to which services?") - - poplevel.add (TextboxReflowed(65, text), 0, 0, (0, 0, 0, 1)) - - poplevel.add (popbb, 0, 4, (0, 0, 0, 0), growx = 1) - poplevel.add (bigGrid, 0, 1, (0, 0, 0, 0), anchorLeft = 1) - - - result2 = poplevel.run() - rc2 = popbb.buttonPressed(result2) - - if rc2 == TEXT_OK_CHECK or result2 == TEXT_F12_CHECK: - screen.popWindow() - - if rc == TEXT_OK_CHECK or result == TEXT_F12_CHECK: - if self.disabled.selected(): - rc2 = self.intf.messageWindow(_("Warning - No Firewall"), - _("If this system is attached directly to the Internet or " - "is on a large public network, it is recommended that a " - "firewall be configured to help prevent unauthorized " - "access. However, you have selected not to " - "configure a firewall. Choose \"Proceed\" to continue " - "without a firewall."), - type="custom", custom_icon="warning", - custom_buttons=[_("_Back"), _("_Proceed")]) - - if rc2 == 0: - continue - else: - break - else: - break - - screen.popWindow() - - for (s, cb) in self.portboxes: - s.set_enabled(cb.selected()) - if self.disabled.selected(): - firewall.enabled = 0 - else: - firewall.enabled = 1 - - return INSTALL_OK - - def radiocb(self, args): - (firewall, widget) = args - if widget == self.disabled: - firewall.enabled = 0 - elif widget == self.enabled: - firewall.enabled = 1 - else: - raise RuntimeError, "never reached" - - - -class SELinuxWindow: - def __call__(self, screen, intf, network, firewall, security): - if flags.selinux == 0: - log("selinux disabled, not showing selinux config screen") - return INSTALL_NOOP - - self.intf = intf - - toplevel = GridFormHelp (screen, _("Security Enhanced Linux"), - "selinux", 1, 5) - text = _("Security Enhanced Linux (SELinux) " - "provides finer-grained " - "security controls than those available " - "in a traditional Linux system. It can " - "be set up in a disabled state, a state " - "which only warns about things which would " - "be denied, or a fully active state.") - - toplevel.add(TextboxReflowed(50, text), 0, 0, (0,0,0,1)) - - - grid = Grid(3, 1) - disable = SingleRadioButton(_("Disabled"), None, (security.getSELinux() == 0)) - toplevel.add(disable, 0, 1, (0,0,0,0)) - warn = SingleRadioButton(_("Warn"), disable, (security.getSELinux() == 1)) - toplevel.add(warn, 0, 2, (0,0,0,0)) - enable = SingleRadioButton(_("Active"), warn, (security.getSELinux() == 2)) - toplevel.add(enable, 0, 3, (0,0,0,1)) - - bb = ButtonBar (screen, (TEXT_OK_BUTTON, TEXT_BACK_BUTTON)) - toplevel.add(bb, 0, 4, (0, 0, 0, 0), growx = 1) - - while 1: - result = toplevel.run() - - rc = bb.buttonPressed (result) - - if rc == TEXT_BACK_CHECK: - screen.popWindow() - return INSTALL_BACK - - break - - if enable.selected(): - security.setSELinux(2) - elif warn.selected(): - security.setSELinux(1) - elif disable.selected(): - security.setSELinux(0) - - screen.popWindow() - return INSTALL_OK - diff --git a/textw/network_text.py b/textw/network_text.py index c1734c4f5..33a6acfc7 100644 --- a/textw/network_text.py +++ b/textw/network_text.py @@ -322,6 +322,14 @@ class NetworkGlobalWindow: network.ternaryNS = val break + # Initialize firewall and SELinux settings to our strict defaults + # but only if we're not doing a kickstart install. This is as + # good a place as any for this stuff. + if id.instClass.name != "kickstart": + import security + id.instClass.setFirwall (id, ports = ["22:tcp"]) + id.instClass.setSELinux (id, security.SEL_ENFORCING) + screen.popWindow() return INSTALL_OK |