diff --git a/CONFIG_BUILD b/CONFIG_BUILD index d49ce3b2a..c7abcadc7 100644 --- a/CONFIG_BUILD +++ b/CONFIG_BUILD @@ -33,6 +33,7 @@ CONFIG_BUILD_SELINUX_POL_TYPE := mcs CONFIG_BUILD_CHECK_KICKSTART := y CONFIG_BUILD_ENABLE_GUI := n CONFIG_BUILD_BREAK_GUI := n +CONFIG_ENABLE_FIREWALLD := n # DEPRECATED OPTIONS # These CONFIG_BUILD_ options are deprecated and no longer tested/used. @@ -84,6 +85,7 @@ CONFIG_BUILD_BASH_VARS += ISO_VERSION=$(strip $(ISO_VERSION)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_DHCP=$(strip $(CONFIG_BUILD_ENABLE_DHCP)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_GUI=$(strip $(CONFIG_BUILD_ENABLE_GUI)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_BREAK_GUI=$(strip $(CONFIG_BUILD_BREAK_GUI)) +CONFIG_BUILD_BASH_VARS += CONFIG_ENABLE_FIREWALLD=$(strip $(CONFIG_ENABLE_FIREWALLD)) # Typically we are rolling builds on the target arch. Changing this may have dire consequences. # (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it). @@ -92,4 +94,4 @@ TARGET_ARCH := $(shell uname -i) # Quiet down the build output a bit. QUIET := n -export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI +export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI CONFIG_ENABLE_FIREWALLD diff --git a/Help-firewalld.txt b/Help-firewalld.txt index 534324980..e5dba72a0 100644 --- a/Help-firewalld.txt +++ b/Help-firewalld.txt @@ -59,18 +59,26 @@ What does CLIP do? =========================================================================== How do you switch? - This _should_ be pretty painless. You need to update the kickstart file, - kickstart/clip-WHATEVER/clip-WHATEVER.ks, to add in the file that - configures firewalld and remove where CLIP disables the service in - kickstart/includes/fix-bad-scap. - - Add "%include includes/fix-firewalld" to the kickstart where all the - the other includes are. - - Remove where CLIP disables firewalld and enables iptables. Find - the lines below in the kickstart/includes/fix-bad-scap and delete them - or comment them out. - systemctl disable firewalld - systemctl mask firewalld - systemctl enable iptables - systemctl enable ip6tables + This _should_ be pretty painless. You can enable firewalld in all + variants or you can enable it up per variant. At present, CLIP disables + firewalld in all variants. + + To enable firewalld in a single variant you need to update that variants + kickstart file, kickstart/clip-VARIANTNAME/clip-VARIANTNAME.ks, to set the + environment variable CONFIG_ENABLE_FIREWALLD=y in the %post of the + kickstart. + + Ths must be done beloow the two lines where the build system adds in the + top level environment variables. An example of this is shown below. + " + # DO NOT REMOVE THE FOLLOWING LINE. NON-EXISTENT WARRANTY VOID IF REMOVED. + #CONFIG-BUILD-PLACEHOLDER + + export CONFIG_ENABLE_FIREWALLD=y + " + + To enable firewalld globally you need to modify the CONFIG_BUILD file + and switch the line + CONFIG_ENABLE_FIREWALLD := n + to + CONFIG_ENABLE_FIREWALLD := y diff --git a/kickstart/clip-apache/clip-apache.ks b/kickstart/clip-apache/clip-apache.ks index d2cef3ff0..3afefbd11 100644 --- a/kickstart/clip-apache/clip-apache.ks +++ b/kickstart/clip-apache/clip-apache.ks @@ -106,6 +106,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/clip-minimal/clip-minimal.ks b/kickstart/clip-minimal/clip-minimal.ks index 6de10bea6..d5220b628 100644 --- a/kickstart/clip-minimal/clip-minimal.ks +++ b/kickstart/clip-minimal/clip-minimal.ks @@ -84,6 +84,10 @@ set -x %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks b/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks index eee5da3f1..f7cfdfad0 100644 --- a/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks +++ b/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks @@ -93,6 +93,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/includes/fix-bad-scap b/kickstart/includes/fix-bad-scap index ce81b9cbf..958836fd0 100644 --- a/kickstart/includes/fix-bad-scap +++ b/kickstart/includes/fix-bad-scap @@ -11,11 +11,13 @@ systemctl stop kdump.service systemctl disable kdump.service systemctl mask kdump.service -# And I have yet to figure out how to use SECMARK with firewalld. +# If we are not using firewalld, disable it and turn on iptables +if [ x"$CONFIG_ENABLE_FIREWALLD" != "xy" ]; then systemctl disable firewalld systemctl mask firewalld systemctl enable iptables systemctl enable ip6tables +fi # https://github.com/OpenSCAP/scap-security-guide/issues/1435 sed -i -e 's/cbcMACs/cbc\nMACS/' /etc/ssh/sshd_config diff --git a/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks b/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks index 46d2a4122..3b0f5cd7e 100644 --- a/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks +++ b/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks @@ -92,6 +92,10 @@ set -x %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/wip-clip-vpn/wip-clip-vpn.ks b/kickstart/wip-clip-vpn/wip-clip-vpn.ks index 8af055911..9154b2dd8 100644 --- a/kickstart/wip-clip-vpn/wip-clip-vpn.ks +++ b/kickstart/wip-clip-vpn/wip-clip-vpn.ks @@ -94,6 +94,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi if [ x"$CONFIG_BUILD_AWS" != "xy" -o x"$CONFIG_BUILD_VPN_ENABLE_TOOR" == "xy" ]; then # FIXME: Change the username and password.