def save_reload_cmds(cmdline):
err = 0
generators = [g for g in dir(policygenerators) if 'Generator' in g]
path = os.path.join(cmdline.outputdir, reload_cmd_name)
try:
with open(path, mode='w') as f:
for g in generators:
cls = policygenerators.__dict__[g]
f.write(cls.RELOAD_CMD)
except OSError:
eprint('Error saving reload cmds')
err = 6
return err
def save_config(pconfig, cfgname, cfgdata, cfgdir, localdir, profiledir):
# This is not fully safe but not worse than original shell script
try:
output = subprocess.check_output('ls ' + local_dir + '/' + cfgname +
'-*.config 2>/dev/null', shell=True)
local_cfg = True
except subprocess.CalledProcessError:
local_cfg = False
profilepath = profiledir + '/' + str(pconfig) + '/' + cfgname + '.txt'
if not local_cfg and os.access(profilepath, os.R_OK):
safe_symlink(cfgdir, cfgname + '.config', profilepath)
return
safe_write(cfgdir, cfgname + '.config', cfgdata)
if local_cfg:
try:
subprocess.call('cat ' + local_dir + '/' + cfgname + '-*.config >> ' +
cfgdir + '/' + cfgname + '.config', shell=True)
except subprocess.CalledProcessError:
eprint("Error applying local configuration to " + cfgname)
def build_policy(cmdline, policy_name, subpolicy_names=[]):
err = 0
cp = cryptopolicies.CryptoPolicy(cmdline.policydir)
try:
cp.load_policy(policy_name)
cp.load_subpolicies(subpolicy_names)
except ValueError as e:
eprint('Error: ' + str(e))
return 1
if cp.errors:
eprint('Errors found in policy ' + policy_name)
return 2
cp.finalize()
generators = [g for g in dir(policygenerators) if 'Generator' in g]
for g in generators:
cls = policygenerators.__dict__[g]
gen = cls()
config = gen.generate_config(cp)
if policy_name == 'EMPTY' or gen.test_config(config):
try:
name = ':'.join([policy_name, *subpolicy_names])
if not save_config(cmdline, name, gen.CONFIG_NAME, config):
err = 5
except:
eprint('Error saving config for ' + gen.CONFIG_NAME)
eprint('Keeping original configuration')
err = 4
else:
eprint('Error testing config for ' + gen.CONFIG_NAME)
err = 3
return err
def save_config(cmdline, policy_name, config_name, config):
if cmdline.flat:
path = os.path.join(cmdline.outputdir,
'{}-{}.txt'.format(policy_name, config_name))
else:
dirpath = os.path.join(cmdline.outputdir, policy_name)
if not os.path.isdir(dirpath):
try:
os.mkdir(dirpath)
except OSError:
eprint('Cannot create directory for policy {}'.format(
policy_name))
return False
path = os.path.join(dirpath, config_name + '.txt')
if cmdline.test:
try:
with open(path, mode='r') as f:
old_config = f.read()
if old_config == config:
return True
else:
eprint(
'Config for {} for policy {} differs from the existing one'
.format(config_name, policy_name))
return False
except FileNotFoundError:
pass
except OSError:
eprint('Error reading generated file {}'.format(path))
return False
print('Saving config for {} for policy {}'.format(config_name,
policy_name))
with open(path, mode='w') as f:
f.write(config)
print()
return True
def main():
"The actual command implementation"
cmdline = parse_args()
if cmdline.is_applied:
is_applied()
sys.exit(0)
err = 0
setup_directories()
pconfig = ProfileConfig()
set_config = False
configfile = base_dir + '/config'
if os.access(configfile, os.R_OK):
pconfig.parse_file(configfile)
else:
pconfig.parse_file(profile_dir + '/default-config')
if cmdline.show:
pconfig.show()
sys.exit(0)
profile = cmdline.set
if profile:
oldpolicy = pconfig.policy
pconfig.parse_string(profile)
set_config = True
# FIPS profile is a special case
if pconfig.policy != oldpolicy:
if pconfig.policy == 'FIPS':
eprint("Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for")
eprint(" FIPS compliance.")
eprint(" Use 'fips-mode-setup --enable' command instead.")
elif fips_mode():
eprint("Warning: Using 'update-crypto-policies --set' in FIPS mode will make the system")
eprint(" non-compliant with FIPS.")
eprint(" It can also break the ssh access to the system.")
eprint(" Use 'fips-mode-setup --disable' to disable the system FIPS mode.")
cp = cryptopolicies.CryptoPolicy()
try:
cp.load_policy(pconfig.policy)
cp.load_subpolicies(pconfig.subpolicies)
except ValueError as e:
eprint('Error: ' + str(e))
sys.exit(1)
if cp.errors:
eprint('Errors found in policy')
sys.exit(1)
cp.finalize()
print("Setting system policy to " + str(pconfig))
generators = [g for g in dir(policygenerators) if 'Generator' in g]
for g in generators:
cls = policygenerators.__dict__[g]
gen = cls()
try:
config = gen.generate_config(cp)
except:
eprint('Error generating config for ' + gen.CONFIG_NAME)
eprint('Keeping original configuration')
err = 1
try:
save_config(pconfig, gen.CONFIG_NAME, config,
backend_config_dir, local_dir, profile_dir)
except:
eprint('Error saving config for ' + gen.CONFIG_NAME)
eprint('Keeping original configuration')
err = 1
if set_config:
try:
safe_write(base_dir, 'config', str(pconfig) + '\n')
except:
eprint('Error setting the current policy configuration')
err = 3
try:
safe_write(state_dir, 'current', str(pconfig) + '\n')
except:
eprint('Error updating current policy marker')
err = 2
print("Note: System-wide crypto policies are applied on application start-up.")
print("It is recommended to restart the system for the change of policies")
print("to fully take place.")
if not cmdline.no_reload:
subprocess.call(['/bin/bash', reload_cmd_path])
sys.exit(err)