FreeIPA 4.8.5

This commit is contained in:
Alexander Bokovoy 2020-03-17 16:12:01 +02:00
parent 98704e21f0
commit 6d5d5ab36b

View File

@ -52,6 +52,13 @@
%global linter_options --disable-pylint --without-jslint
%endif
# Include SELinux subpackage
%if 0%{?fedora} >= 30 || 0%{?rhel} > 8
%global with_selinux 1
%global selinuxtype targeted
%global modulename ipa
%endif
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
@ -85,7 +92,14 @@
%global samba_version 2:4.12
# SELinux context for /etc/named directory, RHBZ#1759495
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.1
%global slapi_nis_version 0.56.4
# krb5 can only provide one KDB at a time
%if 0%{?fedora} >= 32
%global krb5_kdb_version 8.0
%else
%global krb5_kdb_version 7.0
%endif
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
@ -105,7 +119,8 @@
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}
%endif # Fedora
# Fedora
%endif
# 10.7.3 supports LWCA key replication using AES
# https://pagure.io/freeipa/issue/8020
@ -134,7 +149,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.8.4
%define IPA_VERSION 4.8.5
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@ -143,7 +158,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 8%{?dist}
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -151,15 +166,6 @@ URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
# https://github.com/freeipa/freeipa/pull/4045
# Fix bugs in the overlapping DNS zone check
Patch0: 4045.patch
Patch1: krb5-kdb-fixes.patch
Patch2: krb5-1.18-support.patch
Patch3: krb5-1.18-support-constraint-delegation.patch
Patch4: krb5-pg8200.patch
Patch5: freeipa-4.8-opendnssec-2.1-support.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -206,7 +212,8 @@ BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
# 0.13.0-2: fix for missing dependency on python-six
BuildRequires: python3-lesscpy >= 0.13.0-2
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
#
# Build dependencies for makeapi/makeaci
@ -233,7 +240,8 @@ BuildRequires: python3-twine
BuildRequires: twine
%endif
BuildRequires: python3-wheel
%endif # with_wheels
# with_wheels
%endif
#
# Build dependencies for lint and fastcheck
@ -250,6 +258,7 @@ BuildRequires: python3-custodia >= 0.3.1
BuildRequires: python3-dateutil
BuildRequires: python3-dbus
BuildRequires: python3-dns >= 1.15
BuildRequires: python3-docker
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-jinja2
BuildRequires: python3-jwcrypto >= 0.4.2
@ -283,7 +292,8 @@ BuildRequires: python3-sss-murmur
BuildRequires: python3-sssdconfig >= %{sssd_version}
BuildRequires: python3-systemd
BuildRequires: python3-yubico
%endif # with_lint
# with_lint
%endif
#
# Build dependencies for unit tests
@ -292,7 +302,15 @@ BuildRequires: python3-yubico
BuildRequires: libcmocka-devel
# Required by ipa_kdb_tests
BuildRequires: krb5-server >= %{krb5_version}
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
#
# Build dependencies for SELinux policy
#
%if 0%{?with_selinux}
BuildRequires: selinux-policy-devel
%endif
%description
IPA is an integrated solution to provide centrally managed Identity (users,
@ -359,6 +377,11 @@ Requires: oddjob
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not pulled
# into containers and other systems that do not use SELinux
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@ -497,7 +520,8 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%package client
@ -727,7 +751,22 @@ features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This package contains tests that verify IPA functionality under Python 3.
%endif # with_ipatests
# with_ipatests
%endif
%if 0%{?with_selinux}
# SELinux subpackage
%package selinux
Summary: FreeIPA SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
%{?selinux_requires}
%description selinux
Custom SELinux policy module for FreeIPA
# with_selinux
%endif
%prep
@ -789,6 +828,19 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p"
%if 0%{?with_ipatests}
mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
# with_ipatests
%endif
# default installation
# This installs all Python packages twice and overrides the ipa-test
# commands. We'll fix the command links later with ln --force.
@ -835,14 +887,16 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
%if ! %{ONLY_CLIENT}
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%if ! %{ONLY_CLIENT}
@ -955,7 +1009,8 @@ if [ $1 -eq 0 ]; then
/bin/systemctl reload-or-try-restart oddjobd
fi
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%post client
@ -993,6 +1048,26 @@ if [ $1 -gt 1 ] ; then
fi
%if 0%{?with_selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
# with_selinux
%endif
%triggerin client -- openssh-server
# Has the client been configured?
restore=0
@ -1059,10 +1134,6 @@ fi
%{_sbindir}/ipa-cert-fix
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
%{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
@ -1071,8 +1142,14 @@ fi
%{_libexecdir}/ipa/ipa-pki-retrieve-key
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger
@ -1187,16 +1264,16 @@ fi
%dir %{_sysconfdir}/ipa/html
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%dir %{_localstatedir}/lib/ipa
@ -1208,8 +1285,8 @@ fi
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
%dir %{_usr}/share/ipa/schema.d
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
@ -1241,9 +1318,10 @@ fi
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%files client
@ -1304,19 +1382,19 @@ fi
%doc README.md Contributors.txt
%license COPYING
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
# old dbm format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
# new sql format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%dir %{_localstatedir}/lib/ipa-client
%dir %{_localstatedir}/lib/ipa-client/pki
%dir %{_localstatedir}/lib/ipa-client/sysrestore
@ -1329,6 +1407,7 @@ fi
%doc README.md Contributors.txt
%license COPYING
%files common -f %{gettext_domain}.lang
%doc README.md Contributors.txt
%license COPYING
@ -1355,14 +1434,28 @@ fi
%license COPYING
%{python3_sitelib}/ipatests
%{python3_sitelib}/ipatests-*.egg-info
%{_bindir}/ipa-run-tests-3
%{_bindir}/ipa-test-config-3
%{_bindir}/ipa-test-task-3
%{_bindir}/ipa-run-tests-%{python3_version}
%{_bindir}/ipa-test-config-%{python3_version}
%{_bindir}/ipa-test-task-%{python3_version}
%{_bindir}/ipa-run-tests
%{_bindir}/ipa-test-config
%{_bindir}/ipa-test-task
%{_mandir}/man1/ipa-run-tests.1*
%{_mandir}/man1/ipa-test-config.1*
%{_mandir}/man1/ipa-test-task.1*
%endif # with_ipatests
# with_ipatests
%endif
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with_selinux
%endif
%changelog
* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-8