Beispiel #1
0
def save_reload_cmds(cmdline):
    err = 0

    generators = [g for g in dir(policygenerators) if 'Generator' in g]

    path = os.path.join(cmdline.outputdir, reload_cmd_name)
    try:
        with open(path, mode='w') as f:
            for g in generators:
                cls = policygenerators.__dict__[g]
                f.write(cls.RELOAD_CMD)
    except OSError:
        eprint('Error saving reload cmds')
        err = 6
    return err
def save_config(pconfig, cfgname, cfgdata, cfgdir, localdir, profiledir):
	# This is not fully safe but not worse than original shell script
	try:
		output = subprocess.check_output('ls ' + local_dir + '/' + cfgname +
			 '-*.config 2>/dev/null', shell=True)
		local_cfg = True
	except subprocess.CalledProcessError:
		local_cfg = False

	profilepath = profiledir + '/' + str(pconfig) + '/' + cfgname + '.txt'

	if not local_cfg and os.access(profilepath, os.R_OK):
		safe_symlink(cfgdir, cfgname + '.config', profilepath)
		return

	safe_write(cfgdir, cfgname + '.config', cfgdata)

	if local_cfg:
		try:
			subprocess.call('cat ' + local_dir + '/' + cfgname + '-*.config >> ' +
				cfgdir + '/' + cfgname + '.config', shell=True)
		except subprocess.CalledProcessError:
			eprint("Error applying local configuration to " + cfgname)
Beispiel #3
0
def build_policy(cmdline, policy_name, subpolicy_names=[]):
    err = 0
    cp = cryptopolicies.CryptoPolicy(cmdline.policydir)

    try:
        cp.load_policy(policy_name)
        cp.load_subpolicies(subpolicy_names)
    except ValueError as e:
        eprint('Error: ' + str(e))
        return 1

    if cp.errors:
        eprint('Errors found in policy ' + policy_name)
        return 2

    cp.finalize()

    generators = [g for g in dir(policygenerators) if 'Generator' in g]

    for g in generators:
        cls = policygenerators.__dict__[g]
        gen = cls()
        config = gen.generate_config(cp)

        if policy_name == 'EMPTY' or gen.test_config(config):
            try:
                name = ':'.join([policy_name, *subpolicy_names])
                if not save_config(cmdline, name, gen.CONFIG_NAME, config):
                    err = 5
            except:
                eprint('Error saving config for ' + gen.CONFIG_NAME)
                eprint('Keeping original configuration')
                err = 4
        else:
            eprint('Error testing config for ' + gen.CONFIG_NAME)
            err = 3
    return err
Beispiel #4
0
def save_config(cmdline, policy_name, config_name, config):
    if cmdline.flat:
        path = os.path.join(cmdline.outputdir,
                            '{}-{}.txt'.format(policy_name, config_name))
    else:
        dirpath = os.path.join(cmdline.outputdir, policy_name)
        if not os.path.isdir(dirpath):
            try:
                os.mkdir(dirpath)
            except OSError:
                eprint('Cannot create directory for policy {}'.format(
                    policy_name))
                return False
        path = os.path.join(dirpath, config_name + '.txt')

    if cmdline.test:
        try:
            with open(path, mode='r') as f:
                old_config = f.read()
            if old_config == config:
                return True
            else:
                eprint(
                    'Config for {} for policy {} differs from the existing one'
                    .format(config_name, policy_name))
                return False
        except FileNotFoundError:
            pass
        except OSError:
            eprint('Error reading generated file {}'.format(path))
            return False

    print('Saving config for {} for policy {}'.format(config_name,
                                                      policy_name))
    with open(path, mode='w') as f:
        f.write(config)
    print()
    return True
def main():
	"The actual command implementation"
	cmdline = parse_args()

	if cmdline.is_applied:
		is_applied()
		sys.exit(0)

	err = 0

	setup_directories()

	pconfig = ProfileConfig()

	set_config = False

	configfile = base_dir + '/config'
	if os.access(configfile, os.R_OK):
		pconfig.parse_file(configfile)
	else:
		pconfig.parse_file(profile_dir + '/default-config')

	if cmdline.show:
		pconfig.show()
		sys.exit(0)

	profile = cmdline.set

	if profile:
		oldpolicy = pconfig.policy
		pconfig.parse_string(profile)
		set_config = True

		# FIPS profile is a special case
		if pconfig.policy != oldpolicy:
			if pconfig.policy == 'FIPS':
				eprint("Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for")
				eprint("         FIPS compliance.")
				eprint("         Use 'fips-mode-setup --enable' command instead.")
			elif fips_mode():
				eprint("Warning: Using 'update-crypto-policies --set' in FIPS mode will make the system")
				eprint("         non-compliant with FIPS.")
				eprint("         It can also break the ssh access to the system.")
				eprint("         Use 'fips-mode-setup --disable' to disable the system FIPS mode.")

	cp = cryptopolicies.CryptoPolicy()

	try:
		cp.load_policy(pconfig.policy)
		cp.load_subpolicies(pconfig.subpolicies)
	except ValueError as e:
		eprint('Error: ' + str(e))
		sys.exit(1)

	if cp.errors:
		eprint('Errors found in policy')
		sys.exit(1)

	cp.finalize()

	print("Setting system policy to " + str(pconfig))

	generators = [g for g in dir(policygenerators) if 'Generator' in g]

	for g in generators:
		cls = policygenerators.__dict__[g]
		gen = cls()
		try:
			config = gen.generate_config(cp)
		except:
			eprint('Error generating config for ' + gen.CONFIG_NAME)
			eprint('Keeping original configuration')
			err = 1

		try:
			save_config(pconfig, gen.CONFIG_NAME, config,
				    backend_config_dir, local_dir, profile_dir)
		except:
			eprint('Error saving config for ' + gen.CONFIG_NAME)
			eprint('Keeping original configuration')
			err = 1

	if set_config:
		try:
			safe_write(base_dir, 'config', str(pconfig) + '\n')
		except:
			eprint('Error setting the current policy configuration')
			err = 3

	try:
		safe_write(state_dir, 'current', str(pconfig) + '\n')
	except:
		eprint('Error updating current policy marker')
		err = 2

	print("Note: System-wide crypto policies are applied on application start-up.")
	print("It is recommended to restart the system for the change of policies")
	print("to fully take place.")

	if not cmdline.no_reload:
		subprocess.call(['/bin/bash', reload_cmd_path])

	sys.exit(err)