%{?dist: %{expand: %%define %dist 1}}
Summary: Qmail statistcs
Name: qsstat
Version: 0.3.1
Release: 1
License: GPL
Group: System/Base
URL: http://www.grsecurity.net/
Source0: gradm-2.1.9-200608201448.tar.gz
Source1: chpax-%{chpax_ver}.tar.gz
Source2: nptl.sh
BuildRoot: %{_tmppath}/%{name}-buildroot
#BuildRequires: binutils flex findutils byacc bison
%description
grsecurity aims to be a complete security system for Linux.
gradm performs several tasks for the ACL system including authen-
ticated via a password to the kernel and parsing ACLs to be
passed to the kernel.
%prep
%setup -q -n %{name}2
%setup -q -n %{name}2 -D -T -a 1
%build
%{__make}
cd chpax-%{chpax_ver}
%{__make}
cd ..
%install
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
make DESTDIR="%{buildroot}" install
cd chpax-%{chpax_ver}
%{__make} DESTDIR="%{buildroot}" install
cd ..
%if %{with_nptl}
%{__mkdir_p} %{buildroot}%{_sysconfdir}/profile.d/
install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/nptl.sh
%endif
%clean
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
# sitebuilder-core needs exec stack
%triggerin -- sitebuilder-core
if [ -x /usr/bin/execstack ]; then
execstack -c /usr/lib/php4/sitebuilder.so
fi
# php-ioncube-loader
%triggerin -- php-ioncube-loader
if [ -x /usr/bin/execstack ]; then
find /usr/lib/php4/ -name php_ioncube* -exec execstack -c {} \;
fi
# drweb needs mprotect()
%triggerin -- drweb
if [ -f /opt/drweb/drwebd ]; then
service drweb stop 1> /dev/null 2>&1
chpax -m /opt/drweb/drwebd
service drweb start 1> /dev/null 2>&1
fi
# fix permissions on psa bin dir
%triggerin -- psa
if [ -d /usr/local/psa/bin ]; then
chown root.root /usr/local/psa/bin
fi
if [ -f /usr/local/psa/bin/chrootsh ]; then
chown root.root /usr/local/psa/bin/chrootsh
chmod 4755 /usr/local/psa/bin/chrootsh
fi
# fix beeencrypt stack execution
%triggerin -- beecrypt
if [ -x /usr/bin/execstack ]; then
if [ -f /usr/lib/libbeecrypt.so.*.*.* ]; then
execstack -c /usr/lib/libbeecrypt.so.*.*.*
fi
fi
# fix stack execution on mysql on 2.6 kernels
%triggerin -- mysql
if [ -x /usr/bin/execstack ]; then
find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
#execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1
#execstack -c /usr/lib/libmysqlclient* 1>/dev/null 2>&1
fi
# CentOS4/RHEL4 have a problem with bdb in mysql
%{?rhel4:if ! grep -q "^skip-bdb" /etc/my.cnf; then }
%{?rhel4: sed -e 's/\[mysqld\]/\[mysqld\]\nskip-bdb/' /etc/my.cnf > /etc/my.cnf.atomicorp }
%{?rhel4: mv -f /etc/my.cnf.atomicorp /etc/my.cnf }
%{?rhel4:fi }
%triggerin -- mysql-compat
if [ -x /usr/bin/execstack ]; then
find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
# execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1
# execstack -c /usr/lib/libmysqlclient.so.10.0.0 1>/dev/null 2>&1
fi
# Fix frontpage perms
%triggerin -- frontpage
if [ -d /usr/local/frontpage ]; then
chown -R root.root /usr/local/frontpage/version*/*
fi
# Fix courier-imap perms
%triggerin -- courier-imap
if [ -d /usr/lib/courier-imap ]; then
chown -R root.root /usr/lib/courier-imap/
fi
# Fix mailman perms
%triggerin -- mailman
if [ -d /usr/lib/mailman/cgi-bin ];then
chown root.root /usr/lib/mailman
chown root.root /usr/lib/mailman/cgi-bin
chown root.root /usr/lib/mailman/cron
chmod 755 /usr/lib/mailman/cgi-bin
chmod 755 /usr/lib/mailman/cron
chmod 755 /usr/lib/mailman/mail
fi
if [ -d /var/mailman/cgi-bin ];then
chown root.root /var/mailman
chown root.root /var/mailman/cgi-bin
chown root.root /var/mailman/cron
chmod 755 /var/mailman/cgi-bin
chmod 755 /var/mailman/cron
chmod 755 /var/mailman/mail
fi
# Fix php-xslt
%triggerin -- php-xslt
if [ -f /usr/lib/php4/xslt.so ]; then
if [ -x /usr/bin/execstack ]; then
execstack -c /usr/lib/php4/xslt.so
fi
fi
# Fix X
%triggerin -- XFree86
if [ -f /usr/X11R6/bin/XFree86 ]; then
chpax -emsrpx /usr/X11R6/bin/XFree86
fi
# Plesk PAM rpm
%triggerin -- psa-libpam-plesk
if [ -f //lib/security/pam_plesk.so ]; then
execstack -c //lib/security/pam_plesk.so
fi
# Java
%triggerin -- j2sdk
killall -9 java >/dev/null 2>&1
if [ -f /usr/java/j2sdk*/bin/java ]; then
chpax -emsrpx /usr/java/j2sdk*/bin/java
fi
if [ -f /usr/java/j2sdk*/bin/javac ]; then
chpax -emsrpx /usr/java/j2sdk*/bin/javac
fi
if [ -f /usr/lib/jvm/java*/bin/java ]; then
chpax -emsrpx /usr/lib/jvm/java*/bin/java
fi
if [ -f /usr/lib/jvm/java*/bin/javac ]; then
chpax -emsrpx /usr/lib/jvm/java*/bin/javac
fi
%triggerin -- java-1.4.2-sun
if [ -f /usr/lib/jvm/java*/bin/java ]; then
chpax -emsrpx /usr/lib/jvm/java*/bin/java
fi
if [ -f /usr/lib/jvm/java*/bin/javac ]; then
chpax -emsrpx /usr/lib/jvm/java*/bin/javac
fi
# untrusted users trigger
%triggerin -- httpd snort mailman gdm mysql-server postgres qmail psa-qmail psa openssh
USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc"
for i in $USERS; do
if grep -q ^$i /etc/passwd; then
if groups $i |grep -qv untrusted; then
/usr/sbin/usermod -G untrusted`groups $i | awk -F: '{print $2}' |sed 's/ /,/g'` $i 1>/dev/null 2>&1
fi
fi
done
%post
if [ -e /dev/grsec ]; then
rm -f /dev/grsec
/bin/mknod -m 0622 /dev/grsec c 1 13
else
/bin/mknod -m 0622 /dev/grsec c 1 13
fi
# create the untrusted user groups
if ! grep -q "^untrusted:" /etc/group; then
/usr/sbin/groupadd -g 1005 -r -f untrusted
fi
if ! grep -q "^socket:" /etc/group; then
/usr/sbin/groupadd -g 1004 -r -f socket
fi
if ! grep -q "^server:" /etc/group; then
/usr/sbin/groupadd -g 1003 -r -f server
fi
if ! grep -q "^client:" /etc/group; then
/usr/sbin/groupadd -g 1002 -r -f client
fi
USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc"
for i in $USERS; do
if grep -q ^$i /etc/passwd; then
if groups $i |grep -qv untrusted; then
/usr/sbin/usermod -G untrusted`groups $i | awk -F: '{print $2}' |sed 's/ /,/g'` $i 1>/dev/null 2>&1
fi
fi
done
# switch SELinux into warn mode if it is enabled
# currently disabling selinux from the kernel rpm in grub.conf
if [ -f /etc/sysconfig/selinux ]; then
if grep -q ^SELINUX=enforcing /etc/sysconfig/selinux; then
sed s/^SELINUX=enforcing/SELINUX=permissive/ /etc/sysconfig/selinux > /etc/sysconfig/selinux.tmp
mv -f /etc/sysconfig/selinux.tmp /etc/sysconfig/selinux
fi
fi
# Ioncube fix
if [ -d /usr/local/ioncube ]; then
find /usr/local/ioncube -name \*so -exec execstack -c {} \; >/dev/null 2>&1
fi
%files
%defattr(-,root,root)
%dir %{_sysconfdir}/grsec
%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/learn_config
%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/policy
%attr(0754,root,root) /sbin/%{name}
%attr(0754,root,root) /sbin/grlearn
%attr(0754,root,root) /sbin/chpax
#%{?rh90: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhfc1: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhfc2: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhfc3: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhfc4: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhel3: %attr(0754,root,root) /sbin/gradm_pam}
#%{?rhel4: %attr(0754,root,root) /sbin/gradm_pam}
%attr(0754,root,root) /sbin/gradm_pam
%attr(0644,root,root) %{_mandir}/man8/%{name}.8*
%attr(0644,root,root) %{_mandir}/man1/chpax.1.gz*
%if %{with_nptl}
%attr(0755,root,root) /etc/profile.d/nptl.sh
%endif
%changelog
* Wed Sep 13 2006 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.9-1
- update to gradm-2.1.9-200608201448
- trigger update for sun jre
* Sat Mar 4 2006 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.8
- update to 2.1.8-200601212342
- major trigger updates
* Tue Jan 3 2006 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.7
- update to 2.1.7-200511041858
- mailman trigger update for FC4/4ES layout
- php-xslt trigger
- install-only check for manual install of ioncube loader
* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-13
- further refinement of untrusted trigger
* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-12
- fix for mysql triggers on shared objects
* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-11
- bugfix in untrusted group routine, this should fix group removal issues in the future
* Thu Sep 1 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- add in untrusted groups creation, and expanded it into a trigger
- add in check for selinux enforce mode, set to permissive if detected
* Sun Aug 28 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- update to 2.1.6
* Tue Jun 7 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- execstack trigger for mysql-compat
* Tue May 24 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- execstack trigger added for mysql
* Mon May 23 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- psa trigger addition
* Sun May 15 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- update to gradm-2.1.5-200504081812
- mknod fix
* Tue May 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- Added nptl.sh script
* Mon Mar 28 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- updated to 2.1.4
- removed SLS specific modifications
- added chpax 0.7
* Fri Jan 23 2004 Vincent Danen <vdanen@opensls.org> 2.0-0.5sls
- OpenSLS build
- tidy spec
- remove %%_prefix
* Tue Dec 30 2003 Michael Scherer <misc@mandrake.org> 2.0-0.4mdk
- fix [DIRM] %{_sysconfdir}/grsec
* Thu Nov 20 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.3mdk
- rc3
* Thu Sep 18 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.2mdk
- move devfs checks to %post from makefile
* Wed Sep 17 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.1mdk
- initial cooker contrib
- gradm 2.0-rc2
- spec based on 1.9.9d rpm package by Oden Eriksson that
never got uploaded due to kernel mismatch