rpms/authselect
7
0
Fork 0
Code Issues Pull Requests Releases Activity
5ba59e8849
authselect/SPECS/authselect.spec

389 lines
15 KiB
RPMSpec
Raw Normal View History

import authselect-1.0-13.el8
2019-05-07 10:06:39 +00:00
Name: authselect
Version: 1.0
Release: 13%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/pbrezina/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%if 0%{?rhel}
Source1: translations-1.0-12.tar.gz
%endif
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-lib-fix-profile-origin-debug-message.patch
Patch0002: 0002-man-remove-duplicate-of-with-pamaccess.patch
Patch0003: 0003-Don-t-write-options-without-value-to-pwquality-conf-.patch
Patch0004: 0004-compat-write-only-options-set-on-command-line-to-pwq.patch
Patch0005: 0005-compat-fix-regular-expression-for-environment-files.patch
Patch0006: 0006-compat-fix-typo-in-compat-tool-that-produces-TypeErr.patch
Patch0007: 0007-compat-use-current-configuration-unless-other-profil.patch
Patch0008: 0008-compat-do-not-disable-service-if-its-option-is-not-s.patch
Patch0009: 0009-nis-add-all-maps-supported-by-nss_nis.patch
Patch0010: 0010-nis-add-systemd-module-to-nsswitch.conf.patch
Patch0011: 0011-nis-add-nis-option-to-pam_unix-in-password-phase.patch
Patch0012: 0012-nis-with-nispwquality-will-enable-pwquality-for-nis-.patch
Patch0013: 0013-profiles-add-without-nullok.patch
Patch0014: 0014-profiles-add-options-to-exclude-lines-from-nsswitch..patch
Patch0015: 0015-compat-do-not-stop-rpcbind-only-start-it.patch
Patch0016: 0016-sssd-document-that-this-profile-can-be-used-also-wit.patch
Patch0017: 0017-sssd-add-support-for-local-users-authentication-via-.patch
Patch0018: 0018-sssd-add-with-smartcard-required-feature.patch
Patch0019: 0019-sssd-remove-with-sudo-duplicate-from-readme.patch
Patch0020: 0020-profiles-end-all-files-with-new-line.patch
Patch0021: 0021-compat-add-support-for-with-smartcard-required-enabl.patch
Patch0022: 0022-compat-support-with-smartcard-lock-on-removal-smartc.patch
Patch0023: 0023-profiles-mention-pam_oddjob_mkhomedir-in-requirement.patch
Patch0024: 0024-lib-fix-memory-leak-in-authselect_profile_free.patch
Patch0025: 0025-lib-fix-memory-leak-in-authselect_config_validate_ex.patch
Patch0026: 0026-profiles-make-session-pam_systemd-required.patch
Patch0027: 0027-lib-add-authselect_profile_features-to-list-supporte.patch
Patch0028: 0028-lib-refuse-to-activate-profile-if-unsupported-featur.patch
Patch0029: 0029-lib-remove-no-longer-supported-features-in-apply-cha.patch
Patch0030: 0030-compat-write-to-sysconfig-after-all-changes-are-done.patch
Patch0031: 0031-util-remove-duplicate-values-correctly-in-string_arr.patch
Patch0032: 0032-util-do-not-return-value-from-string_array_del_value.patch
Patch0033: 0033-util-fix-buffer-error-in-textfile_copy.patch
Patch0034: 0034-lib-fix-coverity-warnings.patch
Patch0035: 0035-lib-label-temporary-files-with-correct-selinux-conte.patch
Patch0036: 0036-authselect-fix-memory-leak-of-maps.patch
Patch0037: 0037-lib-make-selinux-functions-work-with-selinux-disable.patch
Patch0038: 0038-sssd-require-smartcard-only-for-specific-services.patch
Patch0039: 0039-Revert-profiles-make-session-pam_systemd-required.patch
# Downstream only
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
Requires: libselinux
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Requires: systemd
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
Requires: authselect%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
Suggests: oddjob-mkhomedir
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
# Install RHEL translations
# It is not possible to use wildcards here so we need to use 'find'
%if 0%{?rhel}
find "%{makedir}/po" "%{makedir}/src/man/po" -name "*.po" -delete
%__rm "%{makedir}/po/LINGUAS"
%setup -T -D -a 1
%endif
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%dir %{_localstatedir}/lib/authselect
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%pre libs
rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
rm -f %{validfile}
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Mon Feb 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-13
- Revert pam_systemd.so to be optional
- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth
* Mon Feb 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-12
- make authselect work with selinux disabled (RHBZ #1668025)
- require smartcard authentication only for specific services (RHBZ #1665058)
- update translations (RHBZ #1608286)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-11
- require libselinux needed by (RHBZ #1664650)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-10
- invalid selinux context for files under /etc/authselect (RHBZ #1664650)
* Tue Dec 4 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-9
- fix sources for official rhel translations (RHBZ #1608286)
- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-8
- add official rhel translations (RHBZ #1608286)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-7
- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928)
- compat tool: support --enablerequiresmartcard (RHBZ #1649277)
- compat tool: support --smartcardaction=0 (RHBZ #1649279)
- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282)
- authselect enable-features should error on unknown features (RHBZ #1651637)
* Wed Oct 31 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-6
- Remove mention of Fedora Change page from compat tool (RHBZ #1644309)
* Wed Oct 10 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-5
- Support for "require smartcard for login option" (RHBZ #1611012)
* Mon Oct 1 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-4
- add official rhel translations (RHBZ #1608286)
* Fri Sep 28 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- fix typo (require systemd instead of systemctl)
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-2
- authconfig --update overwrites current profile (RHBZ #1628492)
- authselect profile nis enhancements (RHBZ #1628493)
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- authconfig --update --enablenis stops ypserv (RHBZ #1632567)
- compat tool generates invalid pwquality configuration (RHBZ #1628491)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0 (RHBZ #1614235)
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.4-4
- Rebuild for platform-python
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging
Reference in New Issue Copy Permalink