Add support for selecting desired Linux Security Module (LSM)

[teclator]

Problem

It has been requested to unify the Linux Security Module (LSM) selection during installation, allowing not only to select SELinux but also AppArmor or even none LSM major module at all.

• https://trello.com/c/0KpnKW6N/2754-8-feature-shouldhave-unify-selinux-and-apparmor-solution-in-the-installation-summary

Solution

In order to choose which LSM should be used by default we have added a new section lsm to the control file as well as we have added almost the same options to the security AutoYaST schema. The default LSM will be set by the select tag falling back to apparmor in case of missing.

<lsm>
  <select>selinux</select>
  <configurable config:type="boolean">true</configurable>

  <apparmor>
    <patterns>apparmor</patterns>
    <selectable config:type="boolean">true</selectable>
  </apparmor>

  <selinux>
    <!-- Set SELinux enforcing mode by default -->
    <mode>enforcing</mode>
    <configurable config:type="boolean">true</configurable>
    <selectable config:type="boolean">true</selectable>
    <patterns>selinux</patterns>
  </selinux>
</lsm>

The configurable option is available in the lsm section but also per module. If the option is defined as false in the lsm section then the LSM configuration or dialog will not be exposed.

The selectable options is only available per module and will omit the module from the select list during the installation.

See also

• https://github.com/yast/yast-installation/pull/1006

Screenshots

Dialog	Screenshot
Proposal - Selinux Permissive
Proposal - AppArmor
Proposal - No LSM major module wanted
Security Proposal Dialog - LSM Selector
Security Proposal Dialog - Selector with Selinux in Permissive mode

[yast-bot]

:heavy_check_mark: Public Jenkins job #47 successfully finished :heavy_check_mark: Created OBS submit request #942731

[yast-bot]

:heavy_check_mark: Internal Jenkins job #40 successfully finished :heavy_check_mark: Created IBS submit request #261246