diff --git a/freeipa.spec b/freeipa.spec index 2bb4ad4..0b28652 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -52,6 +52,13 @@ %global linter_options --disable-pylint --without-jslint %endif +# Include SELinux subpackage +%if 0%{?fedora} >= 30 || 0%{?rhel} > 8 + %global with_selinux 1 + %global selinuxtype targeted + %global modulename ipa +%endif + %if 0%{?rhel} %global package_name ipa %global alt_name freeipa @@ -85,7 +92,14 @@ %global samba_version 2:4.12 # SELinux context for /etc/named directory, RHBZ#1759495 %global selinux_policy_version 3.14.3-52 -%global slapi_nis_version 0.56.1 +%global slapi_nis_version 0.56.4 + +# krb5 can only provide one KDB at a time +%if 0%{?fedora} >= 32 +%global krb5_kdb_version 8.0 +%else +%global krb5_kdb_version 7.0 +%endif # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 %global python_ldap_version 3.1.0-1 @@ -105,7 +119,8 @@ # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ %{?python_disable_dependency_generator} -%endif # Fedora +# Fedora +%endif # 10.7.3 supports LWCA key replication using AES # https://pagure.io/freeipa/issue/8020 @@ -134,7 +149,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.8.4 +%define IPA_VERSION 4.8.5 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" @@ -143,7 +158,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -151,15 +166,6 @@ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc -# https://github.com/freeipa/freeipa/pull/4045 -# Fix bugs in the overlapping DNS zone check -Patch0: 4045.patch -Patch1: krb5-kdb-fixes.patch -Patch2: krb5-1.18-support.patch -Patch3: krb5-1.18-support-constraint-delegation.patch -Patch4: krb5-pg8200.patch -Patch5: freeipa-4.8-opendnssec-2.1-support.patch - # For the timestamp trick in patch application BuildRequires: diffstat @@ -206,7 +212,8 @@ BuildRequires: libunistring-devel # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 # 0.13.0-2: fix for missing dependency on python-six BuildRequires: python3-lesscpy >= 0.13.0-2 -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif # # Build dependencies for makeapi/makeaci @@ -233,7 +240,8 @@ BuildRequires: python3-twine BuildRequires: twine %endif BuildRequires: python3-wheel -%endif # with_wheels +# with_wheels +%endif # # Build dependencies for lint and fastcheck @@ -250,6 +258,7 @@ BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dateutil BuildRequires: python3-dbus BuildRequires: python3-dns >= 1.15 +BuildRequires: python3-docker BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-jinja2 BuildRequires: python3-jwcrypto >= 0.4.2 @@ -283,7 +292,8 @@ BuildRequires: python3-sss-murmur BuildRequires: python3-sssdconfig >= %{sssd_version} BuildRequires: python3-systemd BuildRequires: python3-yubico -%endif # with_lint +# with_lint +%endif # # Build dependencies for unit tests @@ -292,7 +302,15 @@ BuildRequires: python3-yubico BuildRequires: libcmocka-devel # Required by ipa_kdb_tests BuildRequires: krb5-server >= %{krb5_version} -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif + +# +# Build dependencies for SELinux policy +# +%if 0%{?with_selinux} +BuildRequires: selinux-policy-devel +%endif %description IPA is an integrated solution to provide centrally managed Identity (users, @@ -359,6 +377,11 @@ Requires: oddjob # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -497,7 +520,8 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once. -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif %package client @@ -727,7 +751,22 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This package contains tests that verify IPA functionality under Python 3. -%endif # with_ipatests +# with_ipatests +%endif + +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: FreeIPA SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for FreeIPA +# with_selinux +%endif %prep @@ -789,6 +828,19 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} %{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p" +%if 0%{?with_ipatests} +mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} +ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 +ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests +ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config +ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task +# with_ipatests +%endif + # default installation # This installs all Python packages twice and overrides the ipa-test # commands. We'll fix the command links later with ln --force. @@ -835,14 +887,16 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt %if ! %{ONLY_CLIENT} mkdir -p %{buildroot}%{_sysconfdir}/cron.d -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif %if ! %{ONLY_CLIENT} @@ -955,7 +1009,8 @@ if [ $1 -eq 0 ]; then /bin/systemctl reload-or-try-restart oddjobd fi -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif %post client @@ -993,6 +1048,26 @@ if [ $1 -gt 1 ] ; then fi +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +# with_selinux +%endif + + %triggerin client -- openssh-server # Has the client been configured? restore=0 @@ -1059,10 +1134,6 @@ fi %{_sbindir}/ipa-cert-fix %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap -%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat -%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -%{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-custodia-check @@ -1071,8 +1142,14 @@ fi %{_libexecdir}/ipa/ipa-pki-retrieve-key %{_libexecdir}/ipa/ipa-pki-wait-running %{_libexecdir}/ipa/ipa-otpd +%dir %{_libexecdir}/ipa/custodia +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf %dir %{_libexecdir}/ipa/certmonger @@ -1187,16 +1264,16 @@ fi %dir %{_sysconfdir}/ipa/html %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf -%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con -%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini -%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %dir %{_localstatedir}/lib/ipa @@ -1208,8 +1285,8 @@ fi %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds -%ghost %{_localstatedir}/lib/ipa/pki-ca/publish -%ghost %{_localstatedir}/named/dyndb-ldap/ipa +%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia %dir %{_usr}/share/ipa/schema.d %attr(0644,root,root) %{_usr}/share/ipa/schema.d/README @@ -1241,9 +1318,10 @@ fi %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf -%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains +%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains -%endif # ONLY_CLIENT +# ONLY_CLIENT +%endif %files client @@ -1304,19 +1382,19 @@ fi %doc README.md Contributors.txt %license COPYING %dir %attr(0755,root,root) %{_sysconfdir}/ipa/ -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb # old dbm format -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db # new sql format -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt -%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt -%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt +%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit %dir %{_localstatedir}/lib/ipa-client %dir %{_localstatedir}/lib/ipa-client/pki %dir %{_localstatedir}/lib/ipa-client/sysrestore @@ -1329,6 +1407,7 @@ fi %doc README.md Contributors.txt %license COPYING + %files common -f %{gettext_domain}.lang %doc README.md Contributors.txt %license COPYING @@ -1355,14 +1434,28 @@ fi %license COPYING %{python3_sitelib}/ipatests %{python3_sitelib}/ipatests-*.egg-info +%{_bindir}/ipa-run-tests-3 +%{_bindir}/ipa-test-config-3 +%{_bindir}/ipa-test-task-3 +%{_bindir}/ipa-run-tests-%{python3_version} +%{_bindir}/ipa-test-config-%{python3_version} +%{_bindir}/ipa-test-task-%{python3_version} %{_bindir}/ipa-run-tests %{_bindir}/ipa-test-config %{_bindir}/ipa-test-task %{_mandir}/man1/ipa-run-tests.1* %{_mandir}/man1/ipa-test-config.1* %{_mandir}/man1/ipa-test-task.1* -%endif # with_ipatests +# with_ipatests +%endif + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +# with_selinux +%endif %changelog * Tue Mar 03 2020 Alexander Bokovoy - 4.8.4-8