forked from pool/crypto-policies
Pedro Monreal Gonzalez
b59bbd02a8
Update to latest version and update jira tracking number from jsc#PED-4578 to jsc#PED-5041 OBS-URL: https://build.opensuse.org/request/show/1114283 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=23
43 lines
2.0 KiB
Diff
43 lines
2.0 KiB
Diff
Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
|
|
===================================================================
|
|
--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
|
|
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
|
|
@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
|
|
try:
|
|
with os.fdopen(fd, 'w') as f:
|
|
f.write(config)
|
|
- try:
|
|
- ret = call(f'/usr/bin/nss-policy-check {options} {path}'
|
|
- '>/dev/null',
|
|
- shell=True)
|
|
- except CalledProcessError:
|
|
- cls.eprint("/usr/bin/nss-policy-check: Execution failed")
|
|
+ if os.path.exists('/usr/bin/nss-policy-check'):
|
|
+ # Perform a policy check only if the mozilla-nss-tools
|
|
+ # package is installed. This avoids adding more
|
|
+ # dependencies to Ring0.
|
|
+ try:
|
|
+ ret = call(f'/usr/bin/nss-policy-check {options} {path}'
|
|
+ '>/dev/null', shell=True)
|
|
+ except CalledProcessError:
|
|
+ cls.eprint("/usr/bin/nss-policy-check: Execution failed")
|
|
+ else:
|
|
+ # The mozilla-nss-tools package is not installed and we can
|
|
+ # temporarily skip the policy check for mozilla-nss.
|
|
+ ret = 3
|
|
+
|
|
finally:
|
|
os.unlink(path)
|
|
|
|
@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
|
|
cls.eprint("There is a warning in NSS generated policy")
|
|
cls.eprint(f'Policy:\n{config}')
|
|
return False
|
|
+ elif ret == 3:
|
|
+ cls.eprint('Skipping NSS policy check: '
|
|
+ '/usr/bin/nss-policy-check not found')
|
|
+ return True
|
|
elif ret:
|
|
cls.eprint("There is an error in NSS generated policy")
|
|
cls.eprint(f'Policy:\n{config}')
|