diff --git a/.gitignore b/.gitignore index 6985aad..cc1c503 100644 --- a/.gitignore +++ b/.gitignore @@ -153,3 +153,4 @@ /cockpit-194.tar.xz /cockpit-198.tar.xz /cockpit-199.tar.xz +/cockpit-200.tar.xz diff --git a/cockpit.spec b/cockpit.spec index c36e8a2..3f262ee 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 199 +Version: 200 Release: 1%{?dist} # # This file is maintained at the following location: @@ -230,7 +230,7 @@ done for lib in systemd tmpfiles.d firewalld; do rm -r %{buildroot}/%{_prefix}/%{__lib}/$lib done -for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-desktop; do +for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-tls cockpit-desktop; do rm %{buildroot}/%{_libexecdir}/$libexec done rm -r %{buildroot}/%{_libdir}/security %{buildroot}/%{_sysconfdir}/pam.d %{buildroot}/%{_sysconfdir}/motd.d %{buildroot}/%{_sysconfdir}/issue.d @@ -399,6 +399,7 @@ The Cockpit Web Service listens on the network, and authenticates users. %doc %{_mandir}/man1/cockpit-desktop.1.gz %doc %{_mandir}/man5/cockpit.conf.5.gz %doc %{_mandir}/man8/cockpit-ws.8.gz +%doc %{_mandir}/man8/cockpit-tls.8.gz %doc %{_mandir}/man8/remotectl.8.gz %doc %{_mandir}/man8/pam_ssh_add.8.gz %config(noreplace) %{_sysconfdir}/cockpit/ws-certs.d @@ -414,6 +415,7 @@ The Cockpit Web Service listens on the network, and authenticates users. %{_sbindir}/remotectl %{_libdir}/security/pam_ssh_add.so %{_libexecdir}/cockpit-ws +%{_libexecdir}/cockpit-tls %{_libexecdir}/cockpit-desktop %attr(4750, root, cockpit-ws) %{_libexecdir}/cockpit-session %attr(775, -, wheel) %{_localstatedir}/lib/cockpit @@ -429,6 +431,33 @@ getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting # firewalld only partially picks up changes to its services files without this test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true +%if 0%{?rhel} || 0%{?fedora} == 29 +# HACK: SELinux policy adjustment for cockpit-tls; see https://github.com/fedora-selinux/selinux-policy-contrib/pull/114 +if type semanage >/dev/null 2>&1; then + set -ex + echo "Applying SELinux policy change for cockpit-tls.." + semanage fcontext -a /usr/libexec/cockpit-tls -t cockpit_ws_exec_t + restorecon /usr/libexec/cockpit-tls + tmp=$(mktemp -d) + cat < $tmp/local.te +module local 1.0; +require { + type cockpit_ws_t; + type cockpit_ws_exec_t; + class unix_stream_socket { create_stream_socket_perms connectto }; + class file { execute_no_trans}; +} + +allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; +allow cockpit_ws_t cockpit_ws_exec_t:file { execute_no_trans }; +EOF + checkmodule -M -m -o $tmp/local.mod $tmp/local.te + semodule_package -o $tmp/local.pp -m $tmp/local.mod + semodule -i $tmp/local.pp + rm -rf "$tmp" +fi +%endif + %preun ws %systemd_preun cockpit.socket @@ -609,7 +638,7 @@ bastion hosts, and a basic dashboard. Summary: Cockpit user interface for Docker containers Requires: cockpit-bridge >= 122 Requires: cockpit-shell >= 122 -Requires: (docker or moby-engine) +Requires: (docker or moby-engine or docker-ce) Requires: %{__python3} %description -n cockpit-docker @@ -637,6 +666,13 @@ via PackageKit. # The changelog is automatically generated and merged %changelog +* Wed Aug 07 2019 Martin Pitt - 200-1 + +- Machines: Type-ahead OS selection +- Machines: LVM storage pools +- Networking: Show included firewalld services +- Web server: Split out TLS handling + * Thu Jul 25 2019 Martin Pitt - 199-1 - Redesigned logs all over cockpit diff --git a/sources b/sources index 923101e..3cb34fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cockpit-199.tar.xz) = b3091ac6d0482e34ff804f82443867198fe65ce2e5453c1986fb39a536924c73ca1681426b440fcf28e5779b7ab3ddfa41db0da37cdc3fcb886ca01ad4fb0ec9 +SHA512 (cockpit-200.tar.xz) = 7dfdcf5ddf526bdba1adbe21f14583e8e2e5da53c6f8744488cacb7835fd8e5d3670bbf90738fba3032a59ee3bbf9b32ecec2eddd28937aff4c626176fa392e5