distro: add oscap packages to image

Since the oscap remediation stage in osbuild runs the oscap package in `chroot`, it is necessary to install the `openscap-scanner` package to the image itself rather than the build root.
2022-08-15 15:42:56 +01:00 · 2022-08-15 15:42:56 +01:00 · c264ce53cd
commit c264ce53cd
parent de6b8e8f5b
4 changed files with 12 additions and 23 deletions
--- a/internal/distro/rhel8/distro.go
+++ b/internal/distro/rhel8/distro.go
@ -450,13 +450,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
 		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
 	}

-	// if oscap customizations are enabled we need to add `openscap-scanner`
-	// and `scap-security-guides` packages to build root
+	// if oscap customizations are enabled we need to add
+	// `openscap-scanner` & `scap-security-guide` packages
+	// to build root
 	if bp.Customizations.GetOpenSCAP() != nil {
-		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{
-			"openscap-scanner",
-			"scap-security-guide",
-		}})
+		bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide")
 	}

 	// depsolve bp packages separately
--- a/internal/distro/rhel9/distro.go
+++ b/internal/distro/rhel9/distro.go
@ -386,13 +386,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
 		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
 	}

-	// if oscap customizations are enabled we need to add `openscap-scanner`
-	// and `scap-security-guides` packages to build root
+	// if oscap customizations are enabled we need to add
+	// `openscap-scanner` & `scap-security-guide` packages
+	// to build root
 	if bp.Customizations.GetOpenSCAP() != nil {
-		mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{
-			"openscap-scanner",
-			"scap-security-guide",
-		}})
+		bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide")
 	}

 	// depsolve bp packages separately
--- a/internal/manifest/os.go
+++ b/internal/manifest/os.go
@ -155,6 +155,10 @@ func (p *OS) getPackageSetChain() []rpmmd.PackageSet {
 		packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
 	}

+	if p.OpenSCAPConfig != nil {
+		packages = append(packages, "openscap-scanner", "scap-security-guide")
+	}
+
 	chain := []rpmmd.PackageSet{
 		{
 			Include:      append(packages, p.ExtraBasePackages...),
@ -186,9 +190,6 @@ func (p *OS) getBuildPackages() []string {
 		packages = append(packages, "policycoreutils")
 		packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
 	}
-	if p.OpenSCAPConfig != nil {
-		packages = append(packages, "openscap-scanner", "scap-security-guide")
-	}
 	return packages
 }

--- a/test/cases/oscap.sh
+++ b/test/cases/oscap.sh
@ -373,14 +373,6 @@ version = "0.0.1"
 modules = []
 groups = []

-[[ packages ]]
-name = "openscap-scanner"
-version = "*"
-
-[[ packages ]]
-name = "scap-security-guide"
-version = "*"
-
 [customizations.openscap]
 profile_id = "${PROFILE}"
 datastream = "${DATASTREAM}"