Update how CLIP Enables Firewalld

CONFIG_BUILD

@@ -33,6 +33,7 @@ CONFIG_BUILD_SELINUX_POL_TYPE := mcs
 CONFIG_BUILD_CHECK_KICKSTART := y
 CONFIG_BUILD_ENABLE_GUI := n
 CONFIG_BUILD_BREAK_GUI := n
+CONFIG_ENABLE_FIREWALLD := n
 
 # DEPRECATED OPTIONS
 # These CONFIG_BUILD_ options are deprecated and no longer tested/used.
@@ -84,6 +85,7 @@ CONFIG_BUILD_BASH_VARS += ISO_VERSION=$(strip $(ISO_VERSION))
 CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_DHCP=$(strip $(CONFIG_BUILD_ENABLE_DHCP)) 
 CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_GUI=$(strip $(CONFIG_BUILD_ENABLE_GUI)) 
 CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_BREAK_GUI=$(strip $(CONFIG_BUILD_BREAK_GUI))
+CONFIG_BUILD_BASH_VARS += CONFIG_ENABLE_FIREWALLD=$(strip $(CONFIG_ENABLE_FIREWALLD))
 
 # Typically we are rolling builds on the target arch.  Changing this may have dire consequences.
 # (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it).
@@ -92,4 +94,4 @@ TARGET_ARCH := $(shell uname -i)
 # Quiet down the build output a bit.
 QUIET := n
 
-export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI
+export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI CONFIG_ENABLE_FIREWALLD

Help-firewalld.txt

@@ -59,18 +59,26 @@ What does CLIP do?
 
 ===========================================================================
 How do you switch? 
-    This _should_ be pretty painless. You need to update the kickstart file,
-    kickstart/clip-WHATEVER/clip-WHATEVER.ks, to add in the file that 
-    configures firewalld and remove where CLIP disables the service in 
-    kickstart/includes/fix-bad-scap.
-
-    Add "%include includes/fix-firewalld" to the kickstart where all the 
-    the other includes are. 
-
-    Remove where CLIP disables firewalld and enables iptables. Find
-    the lines below in the kickstart/includes/fix-bad-scap and delete them 
-    or comment them out.
-        systemctl disable firewalld
-        systemctl mask firewalld
-        systemctl enable iptables
-        systemctl enable ip6tables
+    This _should_ be pretty painless. You can enable firewalld in all
+    variants or you can enable it up per variant. At present, CLIP disables
+    firewalld in all variants.
+
+    To enable firewalld in a single variant you need to update that variants 
+    kickstart file, kickstart/clip-VARIANTNAME/clip-VARIANTNAME.ks, to set the 
+    environment variable CONFIG_ENABLE_FIREWALLD=y in the %post of the 
+    kickstart.
+
+    Ths must be done beloow the two lines where the build system adds in the 
+    top level environment variables. An example of this is shown below.
+    "
+    # DO NOT REMOVE THE FOLLOWING LINE. NON-EXISTENT WARRANTY VOID IF REMOVED.
+    #CONFIG-BUILD-PLACEHOLDER
+
+    export CONFIG_ENABLE_FIREWALLD=y
+    "
+
+    To enable firewalld globally you need to modify the CONFIG_BUILD file
+    and switch the line
+    CONFIG_ENABLE_FIREWALLD := n
+    to 
+    CONFIG_ENABLE_FIREWALLD := y

kickstart/clip-apache/clip-apache.ks

@@ -106,6 +106,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
 
 %include includes/early-scap-audit
 %include includes/scap-remediate
+# if we are using firewalld, enable the base settings
+if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then
+%include includes/fix-firewalld
+fi
 
 # FIXME: Change the username and password.
 #        If a hashed password is specified it will be used

kickstart/clip-minimal/clip-minimal.ks

@@ -84,6 +84,10 @@ set -x
 
 %include includes/early-scap-audit
 %include includes/scap-remediate
+# if we are using firewalld, enable the base settings
+if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then
+%include includes/fix-firewalld
+fi
 
 # FIXME: Change the username and password.
 #        If a hashed password is specified it will be used

kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks

@@ -93,6 +93,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
 
 %include includes/early-scap-audit
 %include includes/scap-remediate
+# if we are using firewalld, enable the base settings
+if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then
+%include includes/fix-firewalld
+fi
 
 # FIXME: Change the username and password.
 #        If a hashed password is specified it will be used

kickstart/includes/fix-bad-scap

@@ -11,11 +11,13 @@ systemctl stop kdump.service
 systemctl disable kdump.service
 systemctl mask kdump.service
 
-# And I have yet to figure out how to use SECMARK with firewalld.
+# If we are not using firewalld, disable it and turn on iptables
+if [ x"$CONFIG_ENABLE_FIREWALLD" != "xy" ]; then
 systemctl disable firewalld
 systemctl mask firewalld
 systemctl enable iptables
 systemctl enable ip6tables
+fi
 
 # https://github.com/OpenSCAP/scap-security-guide/issues/1435
 sed -i -e 's/cbcMACs/cbc\nMACS/' /etc/ssh/sshd_config 

kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks

@@ -92,6 +92,10 @@ set -x
 
 %include includes/early-scap-audit
 %include includes/scap-remediate
+# if we are using firewalld, enable the base settings
+if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then
+%include includes/fix-firewalld
+fi
 
 # FIXME: Change the username and password.
 #        If a hashed password is specified it will be used

kickstart/wip-clip-vpn/wip-clip-vpn.ks

@@ -94,6 +94,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
 
 %include includes/early-scap-audit
 %include includes/scap-remediate
+# if we are using firewalld, enable the base settings
+if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then
+%include includes/fix-firewalld
+fi
 
 if [ x"$CONFIG_BUILD_AWS" != "xy" -o x"$CONFIG_BUILD_VPN_ENABLE_TOOR" == "xy" ]; then
 	# FIXME: Change the username and password.