From c264ce53cd16d6441bafbc59b91346e1e1e1eae0 Mon Sep 17 00:00:00 2001 From: Gianluca Zuccarelli Date: Mon, 15 Aug 2022 15:42:56 +0100 Subject: [PATCH] distro: add oscap packages to image Since the oscap remediation stage in osbuild runs the oscap package in `chroot`, it is necessary to install the `openscap-scanner` package to the image itself rather than the build root. --- internal/distro/rhel8/distro.go | 10 ++++------ internal/distro/rhel9/distro.go | 10 ++++------ internal/manifest/os.go | 7 ++++--- test/cases/oscap.sh | 8 -------- 4 files changed, 12 insertions(+), 23 deletions(-) diff --git a/internal/distro/rhel8/distro.go b/internal/distro/rhel8/distro.go index bd78a4e1f..1bb1ebcd4 100644 --- a/internal/distro/rhel8/distro.go +++ b/internal/distro/rhel8/distro.go @@ -450,13 +450,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs) } - // if oscap customizations are enabled we need to add `openscap-scanner` - // and `scap-security-guides` packages to build root + // if oscap customizations are enabled we need to add + // `openscap-scanner` & `scap-security-guide` packages + // to build root if bp.Customizations.GetOpenSCAP() != nil { - mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{ - "openscap-scanner", - "scap-security-guide", - }}) + bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide") } // depsolve bp packages separately diff --git a/internal/distro/rhel9/distro.go b/internal/distro/rhel9/distro.go index ba5d1b2c9..b4814c38e 100644 --- a/internal/distro/rhel9/distro.go +++ b/internal/distro/rhel9/distro.go @@ -386,13 +386,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs) } - // if oscap customizations are enabled we need to add `openscap-scanner` - // and `scap-security-guides` packages to build root + // if oscap customizations are enabled we need to add + // `openscap-scanner` & `scap-security-guide` packages + // to build root if bp.Customizations.GetOpenSCAP() != nil { - mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{ - "openscap-scanner", - "scap-security-guide", - }}) + bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide") } // depsolve bp packages separately diff --git a/internal/manifest/os.go b/internal/manifest/os.go index 0642c83f0..0d7c88d89 100644 --- a/internal/manifest/os.go +++ b/internal/manifest/os.go @@ -155,6 +155,10 @@ func (p *OS) getPackageSetChain() []rpmmd.PackageSet { packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux)) } + if p.OpenSCAPConfig != nil { + packages = append(packages, "openscap-scanner", "scap-security-guide") + } + chain := []rpmmd.PackageSet{ { Include: append(packages, p.ExtraBasePackages...), @@ -186,9 +190,6 @@ func (p *OS) getBuildPackages() []string { packages = append(packages, "policycoreutils") packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux)) } - if p.OpenSCAPConfig != nil { - packages = append(packages, "openscap-scanner", "scap-security-guide") - } return packages } diff --git a/test/cases/oscap.sh b/test/cases/oscap.sh index b21af9678..fac3f50dd 100755 --- a/test/cases/oscap.sh +++ b/test/cases/oscap.sh @@ -373,14 +373,6 @@ version = "0.0.1" modules = [] groups = [] -[[ packages ]] -name = "openscap-scanner" -version = "*" - -[[ packages ]] -name = "scap-security-guide" -version = "*" - [customizations.openscap] profile_id = "${PROFILE}" datastream = "${DATASTREAM}"