Rebase to the latest upstream version

- Rebase to the latest upstream version
- Use NSS as cryptography library (RHEL-22013)

Resolves: RHEL-22013
This commit is contained in:
Jan Černý 2024-04-02 16:05:09 +02:00
parent 6ab115a60e
commit 56f8171c01
7 changed files with 19 additions and 532 deletions

View File

@ -1,165 +0,0 @@
From f8366b395b977392d724c6cc84c7295590c39ee8 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 7 Nov 2023 20:01:44 +0100
Subject: [PATCH] Fix tests/probes/sysctl_all
The test will now automatically adapt to the list of readable
variables and won't break every time a new root-readable variable
is introduced in kernel.
---
tests/probes/sysctl/test_sysctl_probe_all.sh | 144 +++++++------------
1 file changed, 50 insertions(+), 94 deletions(-)
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index f1834059fb..efaa31b9b1 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -8,98 +8,57 @@ set -e -o pipefail
# non root users
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
-# non root users are not able to access some kernel params, so they get excluded
-SYSCTL_EXCLUDE='
- dev.parport.parport0.autoprobe
- dev.tty.legacy_tiocsti
- fs.protected_hardlinks
- fs.protected_fifos
- fs.protected_regular
- fs.protected_symlinks
- kernel.cad_pid
- kernel.unprivileged_userns_apparmor_policy
- kernel.apparmor_display_secid_mode
- kernel.usermodehelper.bset
- kernel.usermodehelper.inheritable
- net.core.bpf_jit_harden
- net.core.bpf_jit_kallsyms
- net.core.bpf_jit_limit
- net.ipv4.tcp_fastopen_key
- stable_secret
- vm.mmap_rnd_bits
- vm.mmap_rnd_compat_bits
- vm.stat_refresh'
-
-SYSCTL_EXCLUDE_REGEX="$(printf '\|%s' $SYSCTL_EXCLUDE)"
-# strip leading '\|'
-SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX:2}
-
function perform_test {
-probecheck "sysctl" || return 255
-
-name=$(basename $0 .sh)
-
-result=$(mktemp ${name}.res.out.XXXXXX)
-stderr=$(mktemp ${name}.err.out.XXXXXX)
-ourNames=$(mktemp ${name}.our.out.XXXXXX)
-sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
-
-echo "Result file: $result"
-echo "Our names file: $ourNames"
-echo "Sysctl names file: $sysctlNames"
-echo "Errors file: $stderr"
-
-$OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
-
-case $(uname) in
- FreeBSD)
- sysctl -aN 2> /dev/null > "$sysctlNames"
- ;;
- Linux)
- # sysctl has duplicities in output
- # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
- # kernel parameters might use "/" and "." separators interchangeably - normalizing
- sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr "/" "." | sort -u > "$sysctlNames"
- ;;
-esac
-
-grep unix-sys:name "$result" | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
-
-# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh
-# options from the sysctl output, for more details see
-# https://github.com/OpenSCAP/openscap/issues/1152.
-procps_ver="$(package_version procps-ng procps)"
-
-lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1)
-if [ "$procps_ver" != "$lowest_ver" ]; then
- sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames"
- sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
-fi
-
-if ! grep -q "hugepages" "$ourNames"; then
- sed -i "/^.*hugepages.*$/d" "$sysctlNames"
-fi
-
-echo "Diff (sysctlNames / ourNames): ------"
-diff "$sysctlNames" "$ourNames"
-echo "-------------------------------------"
-
-# remove oscap error message related to permissions from stderr
-sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
-sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
-
-# remove oscap error message related to gibberish binary entries
-# that can't fit into 8K buffer and result in errno 14
-# (for example /proc/sys/kernel/spl/hostid could be the case)
-sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
-sed -i "/^.*hugepages.*$/d" "$stderr"
-
-echo "Errors (without messages related to permissions):"
-cat "$stderr"
-
-[ ! -s $stderr ]
-
-rm $stderr $result $ourNames $sysctlNames
+ probecheck "sysctl" || return 255
+
+ name=$(basename $0 .sh)
+
+ result=$(mktemp ${name}.res.out.XXXXXX)
+ stderr=$(mktemp ${name}.err.out.XXXXXX)
+ ourNames=$(mktemp ${name}.our.out.XXXXXX)
+ sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
+
+ echo "Result file: $result"
+ echo "Our names file: $ourNames"
+ echo "Sysctl names file: $sysctlNames"
+ echo "Errors file: $stderr"
+
+ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
+
+ case $(uname) in
+ FreeBSD)
+ sysctl -aN 2> /dev/null > "$sysctlNames"
+ ;;
+ Linux)
+ # sysctl has duplicities in output
+ # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
+ # kernel parameters might use "/" and "." separators interchangeably - normalizing
+ sysctl -a --deprecated 2> /dev/null | tr "/" "." | cut -d "=" -f 1 | tr -d " " | sort -u > "$sysctlNames"
+ ;;
+ esac
+
+ grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+
+ echo "Diff (sysctlNames / ourNames): ------"
+ diff "$sysctlNames" "$ourNames"
+ echo "-------------------------------------"
+
+ # remove oscap error message related to permissions from stderr
+ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
+ sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
+
+ # remove oscap error message related to gibberish binary entries
+ # that can't fit into 8K buffer and result in errno 14
+ # (for example /proc/sys/kernel/spl/hostid could be the case)
+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
+ sed -i "/^.*hugepages.*$/d" "$stderr"
+
+ echo "Errors (without messages related to permissions):"
+ cat "$stderr"
+
+ [ ! -s $stderr ]
+
+ rm $stderr $result $ourNames $sysctlNames
}
perform_test

View File

@ -1,41 +0,0 @@
Fix type of libxml2 error callback function
Current libxml2 uses void(void *user, const xmlError *error),
previously void(void *user, xmlError *error) was used. Switch the
function definition to the current type and add a cast to avoid
incompatible-pointer-types errors with newer compilers building
against older libxml2.
Submitted upstream: <https://github.com/OpenSCAP/openscap/pull/2069>x
diff --git a/src/source/validate.c b/src/source/validate.c
index da8c46dcb185c3fe..ffc54f55031746fc 100644
--- a/src/source/validate.c
+++ b/src/source/validate.c
@@ -46,7 +46,7 @@ struct ctxt {
char *filename;
};
-static void oscap_xml_validity_handler(void *user, xmlErrorPtr error)
+static void oscap_xml_validity_handler(void *user, const xmlError *error)
{
struct ctxt * context = (struct ctxt *) user;
@@ -111,7 +111,7 @@ static inline int oscap_validate_xml(struct oscap_source *source, const char *sc
goto cleanup;
}
- xmlSchemaSetParserStructuredErrors(parser_ctxt, oscap_xml_validity_handler, &context);
+ xmlSchemaSetParserStructuredErrors(parser_ctxt, (xmlStructuredErrorFunc) oscap_xml_validity_handler, &context);
schema = xmlSchemaParse(parser_ctxt);
if (schema == NULL) {
@@ -125,7 +125,7 @@ static inline int oscap_validate_xml(struct oscap_source *source, const char *sc
goto cleanup;
}
- xmlSchemaSetValidStructuredErrors(ctxt, oscap_xml_validity_handler, &context);
+ xmlSchemaSetValidStructuredErrors(ctxt, (xmlStructuredErrorFunc) oscap_xml_validity_handler, &context);
doc = oscap_source_get_xmlDoc(source);
if (!doc)

View File

@ -1,25 +0,0 @@
Python bindings: Do not reuse $result for pointer conversion result
The $result variable may be a pointer, but SWIG_ConvertPtr returns
an int. This change avoids a compilation failure with current
compilers due to a C type error.
Submitted upstream: <https://github.com/OpenSCAP/openscap/pull/2069>x
diff --git a/swig/openscap.i b/swig/openscap.i
index 219e1aa3c9ddf28b..6f29fc23c808bcfc 100644
--- a/swig/openscap.i
+++ b/swig/openscap.i
@@ -64,9 +64,9 @@
}
%typemap(in) void * {
- $result = SWIG_ConvertPtr($input,%as_voidptrptr(&$1), 0, $disown);
- if (!SWIG_IsOK($result)) {
- %argument_fail($result, "$type", $symname, $argnum);
+ int ptrres = SWIG_ConvertPtr($input,%as_voidptrptr(&$1), 0, $disown);
+ if (!SWIG_IsOK(ptrres)) {
+ %argument_fail(ptrres, "$type", $symname, $argnum);
}
}

View File

@ -1,33 +0,0 @@
diff -ru openscap-1.3.9/src/common/xml_iterate.c openscap-1.3.9.new/src/common/xml_iterate.c
--- openscap-1.3.9/src/common/xml_iterate.c 2023-09-06 16:04:46.000000000 +0200
+++ openscap-1.3.9.new/src/common/xml_iterate.c 2023-11-27 03:13:21.931933518 +0100
@@ -22,6 +22,7 @@
#endif
#include <string.h>
+#include <libxml/parser.h>
#include "debug_priv.h"
#include "xml_iterate.h"
#include "oscap_helpers.h"
diff -ru openscap-1.3.9/src/OVAL/results/oval_cmp_evr_string.c openscap-1.3.9.new/src/OVAL/results/oval_cmp_evr_string.c
--- openscap-1.3.9/src/OVAL/results/oval_cmp_evr_string.c 2023-09-06 16:04:46.000000000 +0200
+++ openscap-1.3.9.new/src/OVAL/results/oval_cmp_evr_string.c 2023-11-27 03:18:23.003882498 +0100
@@ -30,6 +30,7 @@
#include <math.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include "oval_cmp_evr_string_impl.h"
#include "oval_definitions.h"
#include "oval_types.h"
diff -ru openscap-1.3.9/src/source/bz2.c openscap-1.3.9.new/src/source/bz2.c
--- openscap-1.3.9/src/source/bz2.c 2023-09-06 16:04:46.000000000 +0200
+++ openscap-1.3.9.new/src/source/bz2.c 2023-11-27 03:32:20.069323771 +0100
@@ -26,6 +26,7 @@
#endif
#include <libxml/tree.h>
+#include <libxml/parser.h>
#include <stdlib.h>
#include <string.h>
#ifdef OS_WINDOWS

View File

@ -1,121 +0,0 @@
From f997cee6f74f4698aadc136b821bc0d5875c59de Mon Sep 17 00:00:00 2001
From: Stephen L Arnold <sarnold@vctlabs.com>
Date: Tue, 11 Jul 2023 17:49:10 -0700
Subject: [PATCH 1/3] make default perl install path respect
CMAKE_INSTALL_PREFIX
Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
---
swig/perl/CMakeLists.txt | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt
index 057b365bf7..5ce41e9fa8 100644
--- a/swig/perl/CMakeLists.txt
+++ b/swig/perl/CMakeLists.txt
@@ -1,6 +1,8 @@
include(UseSWIG)
include(FindPerlLibs)
+string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR)
+
set(CMAKE_SWIG_FLAGS "-module" "openscap_pm")
if (${CMAKE_VERSION} VERSION_LESS "3.8.0")
swig_add_module(openscap_pm perl5 ../openscap.i)
@@ -20,7 +22,7 @@ if (APPLE OR (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD"))
DESTINATION ${CMAKE_INSTALL_DATADIR}/perl5/vendor_perl)
else()
install(TARGETS ${SWIG_MODULE_openscap_pm_REAL_NAME}
- DESTINATION ${PERL_VENDORLIB})
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/${PERL_VERSION_MINOR})
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/openscap_pm.pm
- DESTINATION ${PERL_VENDORARCH})
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/vendor_perl/${PERL_VERSION_MINOR})
endif()
From 6549f7f3142fa071966a6b7c97cd1b85edece990 Mon Sep 17 00:00:00 2001
From: Stephen L Arnold <sarnold@vctlabs.com>
Date: Thu, 14 Dec 2023 16:06:34 -0800
Subject: [PATCH 2/3] chg: dev: use cmake vendor paths for perl install
defaults
* also display both vendor/non-vendor system paths in linux envs
Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
---
CMakeLists.txt | 4 ++++
swig/perl/CMakeLists.txt | 10 ++++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6244980583..d43993bce5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -463,6 +463,10 @@ message(STATUS " ")
message(STATUS "Language bindings:")
message(STATUS "python3 bindings: ${ENABLE_PYTHON3}")
message(STATUS "perl bindings: ${ENABLE_PERL}")
+message(STATUS "perl vendorlib: ${PERL_VENDORLIB}")
+message(STATUS "perl vendorarch: ${PERL_VENDORARCH}")
+message(STATUS "perl privlib: ${PERL_PRIVLIB}")
+message(STATUS "perl archlib: ${PERL_ARCHLIB}")
message(STATUS " ")
message(STATUS "Utilities:")
diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt
index 5ce41e9fa8..789394636c 100644
--- a/swig/perl/CMakeLists.txt
+++ b/swig/perl/CMakeLists.txt
@@ -3,6 +3,12 @@ include(FindPerlLibs)
string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR)
+# process cmake vendor paths to respect install prefix, use as Linux defaults below
+STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}")
+STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}")
+message(STATUS "perl install libdir: ${PERL_VENDORARCH}")
+message(STATUS "perl install archdir: ${PERL_VENDORLIB}")
+
set(CMAKE_SWIG_FLAGS "-module" "openscap_pm")
if (${CMAKE_VERSION} VERSION_LESS "3.8.0")
swig_add_module(openscap_pm perl5 ../openscap.i)
@@ -22,7 +28,7 @@ if (APPLE OR (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD"))
DESTINATION ${CMAKE_INSTALL_DATADIR}/perl5/vendor_perl)
else()
install(TARGETS ${SWIG_MODULE_openscap_pm_REAL_NAME}
- DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/${PERL_VERSION_MINOR})
+ DESTINATION ${PERL_VENDORARCH}/auto/openscap_pm/)
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/openscap_pm.pm
- DESTINATION ${CMAKE_INSTALL_LIBDIR}/perl5/vendor_perl/${PERL_VERSION_MINOR})
+ DESTINATION ${PERL_VENDORARCH})
endif()
From f70f38ecaf659474e69c902454f3bfcfedc89cc0 Mon Sep 17 00:00:00 2001
From: Stephen L Arnold <sarnold@vctlabs.com>
Date: Fri, 15 Dec 2023 16:44:53 -0800
Subject: [PATCH 3/3] check for default prefix before (possibly) munging with
prefix string
Signed-off-by: Stephen L Arnold <sarnold@vctlabs.com>
---
swig/perl/CMakeLists.txt | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/swig/perl/CMakeLists.txt b/swig/perl/CMakeLists.txt
index 789394636c..ca4d2705e2 100644
--- a/swig/perl/CMakeLists.txt
+++ b/swig/perl/CMakeLists.txt
@@ -4,8 +4,11 @@ include(FindPerlLibs)
string(SUBSTRING "${PERL_VERSION_STRING}" 0 4 PERL_VERSION_MINOR)
# process cmake vendor paths to respect install prefix, use as Linux defaults below
-STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}")
-STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}")
+if (NOT CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+ STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORARCH "${PERL_VENDORARCH}")
+ STRING(REGEX REPLACE "^/usr/" "${CMAKE_INSTALL_PREFIX}/" PERL_VENDORLIB "${PERL_VENDORLIB}")
+endif()
+
message(STATUS "perl install libdir: ${PERL_VENDORARCH}")
message(STATUS "perl install archdir: ${PERL_VENDORLIB}")

View File

@ -1,6 +1,6 @@
Name: openscap Name: openscap
Version: 1.3.9 Version: 1.3.10
Release: 6%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -14,70 +14,17 @@ for integration of the SCAP line of standards. SCAP is a line of standards
managed by NIST with the goal of providing a standard language managed by NIST with the goal of providing a standard language
for the expression of Computer Network Defense related information.} for the expression of Computer Network Defense related information.}
# By default build with checks (time consuming)
%bcond_without check
# By default fedora package is built with apt
%if 0%{?fedora}
%bcond_without apt
%else
# apt is missing in CentOS (ELN builds) and in EPEL available currently only in 9
%bcond_with apt
%endif
# By default fedora package is built with opendbx support
%if 0%{?fedora}
%bcond_without opendbx
%else
# opendbx is missing in RHEL (ELN builds) without rest of the EPEL packages
# conditional allows for example rebuild in COPR + EPEL
%bcond_with opendbx
%endif
# Fedora arched lib directories
# originally https://github.com/OpenSCAP/openscap/pull/2056
# accepted was https://github.com/OpenSCAP/openscap/pull/2054
Patch1: https://github.com/OpenSCAP/openscap/pull/2054.patch#/openscap-1.3.9-perlpath.patch
# Implicit declarations due to missing includes
# reported in #PR2060, #PR2061, #PR2062
# https://github.com/OpenSCAP/openscap/pull/2060
# https://github.com/OpenSCAP/openscap/pull/2061
# https://github.com/OpenSCAP/openscap/pull/2062
Patch2: openscap-1.3.9-includes.patch
# Fix test test_sysctl_probe_all.sh
# https://github.com/OpenSCAP/openscap/commit/f8366b395b977392d724c6cc84c7295590c39ee8
Patch3: openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch
# Fix type of libxml2 error callback function
# https://github.com/OpenSCAP/openscap/pull/2069
Patch4: openscap-1.3.9-c99-libxml2.patch
# Python bindings: Do not reuse $result for pointer conversion result
# https://github.com/OpenSCAP/openscap/pull/2069
Patch5: openscap-1.3.9-c99-python.patch
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: make BuildRequires: make
%if 0%{?fedora} || 0%{?rhel} >= 8
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: cmake-rpm-macros BuildRequires: cmake-rpm-macros
%else
BuildRequires: cmake3
%endif
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: swig BuildRequires: swig
BuildRequires: libxml2-devel BuildRequires: libxml2-devel
BuildRequires: libxslt-devel BuildRequires: libxslt-devel
BuildRequires: rpm-devel BuildRequires: rpm-devel
BuildRequires: libgcrypt-devel BuildRequires: nss-devel
BuildRequires: pcre2-devel BuildRequires: pcre2-devel
BuildRequires: libacl-devel BuildRequires: libacl-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
@ -91,30 +38,8 @@ BuildRequires: dbus-devel
BuildRequires: libyaml-devel BuildRequires: libyaml-devel
BuildRequires: xmlsec1-devel BuildRequires: xmlsec1-devel
BuildRequires: xmlsec1-openssl-devel BuildRequires: xmlsec1-openssl-devel
# Fedora has procps-ng-devel, which provides procps-devel
BuildRequires: procps-devel BuildRequires: procps-devel
%if %{with apt}
# apt-libs missing on Centos
BuildRequires: apt-devel
%endif
%if %{with opendbx}
# opendbx is not available in RHEL
BuildRequires: opendbx-devel
%endif
# GConf2 not used on purpose as obsolete and blocking anaconda addon
# BuildRequires: GConf2-devel
%if %{with check}
BuildRequires: perl-interpreter
BuildRequires: perl-XML-XPath
BuildRequires: bzip2
%endif
Requires: bash Requires: bash
Requires: bzip2-libs Requires: bzip2-libs
Requires: dbus Requires: dbus
@ -125,18 +50,12 @@ Requires: libcap
Requires: libselinux Requires: libselinux
Requires: openldap Requires: openldap
Requires: popt Requires: popt
# Fedora has procps-ng, which provides procps
Requires: procps Requires: procps
Requires: xmlsec1 xmlsec1-openssl Requires: xmlsec1
Requires: xmlsec1-openssl
%if %{with apt}
# apt-libs missing on Centos
Requires: apt-libs
%endif
%description %{common_description} %description %{common_description}
%package devel %package devel
Summary: Development files for %{name} Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
@ -155,31 +74,13 @@ Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%{?python_provide:%python_provide python%{python3_pkgversion}-openscap } %{?python_provide:%python_provide python%{python3_pkgversion}-openscap }
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools
%if 0%{?fedora} || 0%{?rhel} >= 10
BuildRequires: python-rpm-macros BuildRequires: python-rpm-macros
%endif
%description python3 %description python3
The %{name}-python3 package contains the bindings so that %{name} The %{name}-python3 package contains the bindings so that %{name}
libraries can be used by python3. libraries can be used by python3.
%{common_description} %{common_description}
%package perl
Summary: Perl bindings for %{name}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: make
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl-devel
BuildRequires: perl-XML-Parser
%description perl
The perl package contains the bindings so that %{name}
libraries can be used by perl.
%{common_description}
%package scanner %package scanner
Summary: OpenSCAP Scanner Tool (oscap) Summary: OpenSCAP Scanner Tool (oscap)
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
@ -225,55 +126,32 @@ The %{name}-engine-sce-devel package contains libraries and header files
for developing applications that use %{name}-engine-sce. for developing applications that use %{name}-engine-sce.
%{common_description} %{common_description}
%package containers
Summary: Utils for scanning containers
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: %{name}-scanner
BuildArch: noarch
%description containers
Tool for scanning Atomic containers.
%{common_description}
%prep %prep
%autosetup -p1 %autosetup -p1
%build %build
# definition controlling to use out-of-source build by default
# still needed for EPEL8 build
# more info - https://bugzilla.redhat.com/show_bug.cgi?id=1861329
%undefine __cmake_in_source_build
# gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
# as gconf is no longer part of the installation medium
%cmake \ %cmake \
-DWITH_CRYPTO=nss \
-DWITH_PCRE2=ON \ -DWITH_PCRE2=ON \
-DENABLE_PERL=ON \
-DENABLE_DOCS=ON \ -DENABLE_DOCS=ON \
-DENABLE_PERL=OFF \
-DENABLE_OSCAP_UTIL_DOCKER=OFF \
-DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \
-DOPENSCAP_PROBE_LINUX_DPKGINFO=OFF \
-DOPENSCAP_PROBE_UNIX_GCONF=OFF \ -DOPENSCAP_PROBE_UNIX_GCONF=OFF \
-DOPENSCAP_ENABLE_SHA1=OFF \
-DOPENSCAP_ENABLE_MD5=OFF \
-DGCONF_LIBRARY= -DGCONF_LIBRARY=
%cmake_build %cmake_build
make docs make docs
%check
%if %{with check}
# Skip failing test in sce/test_sce_in_ds.sh
# %{?_smp_mflags} not used as it is failing many other tests
ctest -V -E sce/test_sce_in_ds.sh
%endif
%install %install
%cmake_install %cmake_install
find %{buildroot} -name '*.la' -exec rm -f {} ';' find %{buildroot} -name '*.la' -exec rm -f {} ';'
# fix python shebangs # fix python shebangs
%if 0%{?fedora} || 0%{?rhel} >= 10
%{__python3} %{_rpmconfigdir}/redhat/pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm %{__python3} %{_rpmconfigdir}/redhat/pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%else
pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%endif
%ldconfig_scriptlets %ldconfig_scriptlets
@ -297,11 +175,6 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%{python3_sitearch}/* %{python3_sitearch}/*
%files perl
%{perl_vendorarch}/openscap_pm.pm
%{perl_vendorarch}/auto/openscap_pm/openscap_pm.so
%files devel %files devel
%doc %{_pkgdocdir}/html/ %doc %{_pkgdocdir}/html/
%{_libdir}/libopenscap.so %{_libdir}/libopenscap.so
@ -321,6 +194,7 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%files scanner %files scanner
%{_mandir}/man8/oscap.8* %{_mandir}/man8/oscap.8*
%{_bindir}/oscap %{_bindir}/oscap
%{_mandir}/man8/oscap-chroot.8*
%{_bindir}/oscap-chroot %{_bindir}/oscap-chroot
%{_sysconfdir}/bash_completion.d %{_sysconfdir}/bash_completion.d
@ -330,20 +204,18 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%{_mandir}/man8/* %{_mandir}/man8/*
%exclude %{_mandir}/man8/oscap.8* %exclude %{_mandir}/man8/oscap.8*
%exclude %{_mandir}/man8/oscap-docker.8* %exclude %{_mandir}/man8/oscap-docker.8*
%exclude %{_mandir}/man8/oscap-chroot.8*
%{_bindir}/* %{_bindir}/*
%exclude %{_bindir}/oscap %exclude %{_bindir}/oscap
%exclude %{_bindir}/oscap-docker %exclude %{_bindir}/oscap-docker
%exclude %{_bindir}/oscap-chroot %exclude %{_bindir}/oscap-chroot
%files containers
%{_bindir}/oscap-docker
%{_mandir}/man8/oscap-docker.8*
%{python3_sitelib}/oscap_docker_python/*
%{_bindir}/oscap-podman
%{_mandir}/man8/oscap-podman.8*
%changelog %changelog
* Tue Apr 02 2024 Jan Černý <jcerny@redhat.com> - 1:1.3.10-1
- Rebase to the latest upstream version
- Use NSS as cryptography library (RHEL-22013)
* Sun Jan 21 2024 Michal Ambroz <rebus _AT seznam.cz> - 1:1.3.9-7 * Sun Jan 21 2024 Michal Ambroz <rebus _AT seznam.cz> - 1:1.3.9-7
- add conditionals to be able to rebuild with opendbx/apt even on EPEL+RHEL - add conditionals to be able to rebuild with opendbx/apt even on EPEL+RHEL
- cosmetics: rename patches, add comments, use buildroot macro instead of env - cosmetics: rename patches, add comments, use buildroot macro instead of env

View File

@ -1 +1 @@
SHA512 (openscap-1.3.9.tar.gz) = 4c7fd10618c36188ed63d722d6cc7b04b45f4e72ff25b8c8ac066baa650b2f1bbd34c561f487a7f58ae8a506228b7d1d2208d54b976df84e2d2ea532629dc6eb SHA512 (openscap-1.3.10.tar.gz) = 007556b8f020636f6613c2b1192a8b96dfb21b62994a3e257619d48021ad962f95b724c3ac9709a60dbbf7dba8f2499ff8b9b56a7f2d293ca3a8d6ec8107f595