From a450b0d6d3ec764b4aa520a42129eef220696820 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 Jan 2021 09:09:40 +0100 Subject: [PATCH 1/2] remove noauto for boot partition from test kickstart --- tests/kickstarts/test_suite.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/kickstarts/test_suite.cfg b/tests/kickstarts/test_suite.cfg index 9ddb1e8791b..7a5e0b50aec 100644 --- a/tests/kickstarts/test_suite.cfg +++ b/tests/kickstarts/test_suite.cfg @@ -79,7 +79,7 @@ zerombr clearpart --linux --initlabel # Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 --fsoptions="noauto,nosuid,noexec" +part /boot --fstype=xfs --size=512 --fsoptions="nosuid,noexec" part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) From 808df8e5dd676e7b91012f452d487bf4ca992fb8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 27 Jan 2021 11:04:30 +0100 Subject: [PATCH 2/2] Unselect rule mount_option_boot_noauto in ANSSI The rules that check /boot mount options need to updated to handle cases where the /boot partition is not mounted because of noauto option. --- controls/anssi.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index c2e306e6673..fcf2a4f7a10 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -181,7 +181,9 @@ controls: - partition_for_boot - mount_option_boot_nosuid - mount_option_boot_noexec - - mount_option_boot_noauto + # The noauto option rule breaks checking of the other mount options + # Commented until rules for /boot mount_option handles this use case + # - mount_option_boot_noauto # /opt nosuid, nodev (optional ro) Additional packages to the system. Read-only editing if not used - partition_for_opt