Hardened build with full relro

Provided SysV initscript in sysvinit subpackage for backward compatibility
2011-08-30 16:52:12 +02:00 · 2011-08-30 16:52:12 +02:00 · dbcb52c7bc
commit dbcb52c7bc
parent a25ef5c937
2 changed files with 171 additions and 3 deletions
--- a/sendmail.init
+++ b/sendmail.init
@ -0,0 +1,144 @@
+#!/bin/bash
+#
+# sendmail      This shell script takes care of starting and stopping
+#               sendmail.
+#
+# chkconfig: 2345 80 30
+# description: Sendmail is a Mail Transport Agent, which is the program \
+#              that moves mail from one machine to another.
+# processname: sendmail
+# config: /etc/mail/sendmail.cf
+# pidfile: /var/run/sendmail.pid
+
+### BEGIN INIT INFO
+# Provides: sendmail smtpdaemon $mail-transfer-agent
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop sendmail
+# Description: sendmail is a Mail Transport Agent (MTA)
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+# Source sendmail configureation.
+if [ -f /etc/sysconfig/sendmail ]; then
+    . /etc/sysconfig/sendmail
+else
+    DAEMON=no
+    QUEUE=1h
+fi
+[ -z "$SMQUEUE" ] && SMQUEUE="$QUEUE"
+[ -z "$SMQUEUE" ] && SMQUEUE=1h
+
+# Check that we're a privileged user
+[ `id -u` = 0 ] || exit 4
+
+# Check that networking is up.
+[ "${NETWORKING}" = "no" ] && exit 1
+
+[ -x /usr/sbin/sendmail ] || exit 5
+
+prog="sendmail"
+
+updateconf() {
+    /etc/mail/make > /dev/null 2>&1
+    if [ $? -eq 15 ]; then
+	echo -n $"Package sendmail-cf is required to update configuration."
+	warning
+	echo
+    fi
+    /etc/mail/make aliases > /dev/null 2>&1
+}
+
+start() {
+    # Start daemons.
+    ret=0
+    updateconf
+    echo -n $"Starting $prog: "
+    daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \
+	$([ -n "$QUEUE" ] && echo -q$QUEUE) $SENDMAIL_OPTARG
+    RETVAL=$?
+    echo
+    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail
+    let ret+=$RETVAL
+
+    if [ ! -f /var/run/sm-client.pid ]; then
+	echo -n $"Starting sm-client: "
+	touch /var/run/sm-client.pid
+	chown smmsp:smmsp /var/run/sm-client.pid
+	if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+	    /sbin/restorecon /var/run/sm-client.pid
+	fi
+	daemon --check sm-client /usr/sbin/sendmail -L sm-msp-queue -Ac \
+	    -q$SMQUEUE $SENDMAIL_OPTARG
+	RETVAL=$?
+	echo
+	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sm-client
+	let ret+=$RETVAL
+    fi
+
+    [ $ret -eq 0 ] && return 0 || return 1
+}
+
+stop() {
+    # Stop daemons.
+    if [ -f /var/run/sm-client.pid ]; then
+	echo -n $"Shutting down sm-client: "
+	killproc sm-client
+	RETVAL=$?
+	echo
+	[ $RETVAL -eq 0 ] && rm -f /var/run/sm-client.pid
+	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sm-client
+    fi
+    echo -n $"Shutting down $prog: "
+    killproc sendmail
+    RETVAL=$?
+    echo
+    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail
+    return $RETVAL
+}
+
+status -p /var/run/sendmail.pid >/dev/null || status -p /var/run/sm-client.pid >/dev/null
+running=$?
+
+# See how we were called.
+case "$1" in
+    start)
+	[ $running -eq 0 ] && exit 0
+	start
+	RETVAL=$?
+	;;
+    stop)
+	[ $running -eq 0 ] || exit 0
+	stop
+	RETVAL=$?
+	;;
+    restart|force-reload)
+	stop
+	start
+	RETVAL=$?
+	;;
+    condrestart|try-restart)
+	[ $running -eq 0 ] || exit 0
+	stop
+	start
+	RETVAL=$?
+	;;
+    status)
+	echo -n sendmail; status -p /var/run/sendmail.pid -l sendmail
+	RETVAL=$?
+	echo -n sm-client; status -p /var/run/sm-client.pid -l sm-client
+	[ $RETVAL -eq 0 ] && RETVAL=$?
+	;;
+    *)
+	echo $"Usage: $0 {start|stop|restart|condrestart|status}"
+	RETVAL=2
+esac
+
+exit $RETVAL
--- a/sendmail.spec
+++ b/sendmail.spec
@ -11,10 +11,17 @@
 %global spooldir %{_localstatedir}/spool
 %global maildir %{_sysconfdir}/mail

+# hardened build
+%global _hardened_build 1
+
+%if %{?_hardened_build:%{_hardened_build}}%{!?_hardened_build:0}
+%global relro -Xlinker -z -Xlinker relro -Xlinker -z -Xlinker now
+%endif
+
 Summary: A widely used Mail Transport Agent (MTA)
 Name: sendmail
 Version: 8.14.5
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Sendmail
 Group: System Environment/Daemons
 URL: http://www.sendmail.org/
@ -35,6 +42,8 @@ Source6: sendmail-redhat.mc
 Source7: sm-client.service
 # pam config
 Source8: sendmail.pam
+# SysV initscript
+Source9: sendmail.init
 # sasl2 config
 Source11: Sendmail-sasl2.conf
 # default /etc/mail/access
@ -129,6 +138,14 @@ If you ever need to reconfigure Sendmail, you will also need to have
 the sendmail-cf package installed. If you need documentation on
 Sendmail, you can install the sendmail-doc package.

+%package sysvinit
+Summary: SysV initscript for sendmail
+Group: System Environment/Daemons
+Requires: %{name} = %{version}-%{release}
+
+%description sysvinit
+This package contains the SysV initscript.
+
 %package doc
 Summary: Documentation about the Sendmail Mail Transport Agent program
 Group: Documentation
@ -214,7 +231,7 @@ define(\`confMAPDEF', \`-DNEWDB -DNIS -DHESIOD -DMAP_REGEX -DSOCKETMAP -DNAMED_B
 define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''')
 define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_TLS_1 -D_FFR_LINUX_MHNL -D_FFR_QOS')
 define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}')
-define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb -lresolv')
+define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb -lresolv %{?relro:%{relro}}')
 define(\`confMANOWN', \`root')
 define(\`confMANGRP', \`root')
 define(\`confMANMODE', \`644')
@ -408,6 +425,7 @@ done
 touch %{buildroot}%{maildir}/aliasesdb-stamp

 install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/sendmail
+install -p -m 755 %{SOURCE9} %{buildroot}%{_initrddir}/sendmail
 install -p -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail
 install -p -m 755 %{SOURCE3} %{buildroot}%{maildir}/make
 install -p -m 644 %{SOURCE5} %{buildroot}%{maildir}/Makefile
@ -418,7 +436,6 @@ chmod 644 %{buildroot}%{maildir}/helpfile
 mkdir -p %{buildroot}%{_unitdir}
 install -m644 %{SOURCE1} %{buildroot}%{_unitdir}
 install -m644 %{SOURCE7} %{buildroot}%{_unitdir}
-rm -rf %{buildroot}%{_initrddir}

 # fix permissions to allow debuginfo extraction and stripping
 chmod 755 %{buildroot}%{_sbindir}/{mailstats,makemap,praliases,sendmail,smrsh}
@ -674,8 +691,15 @@ exit 0
 %dir %{_docdir}/sendmail-%{version}/contrib
 %attr(0644,root,root) %{_docdir}/sendmail-%{version}/contrib/*

+%files sysvinit
+%defattr(-,root,root,-)
+%{_initrddir}/sendmail

 %changelog
+* Tue Aug 30 2011 Jaroslav Škarvada <jskarvad@redhat.com> - 8.14.5-7
+- Hardened build with full relro
+- Provided SysV initscript in sysvinit subpackage for backward compatibility
+
 * Mon Jul 25 2011 Jaroslav Škarvada <jskarvad@redhat.com> - 8.14.5-6
 - Fixed systemctl disable command in preun section
 - Replaced reload by restart, dropped ExecReload from sendmail.service