From c82c4d3e9c4f0b042c80064ebd3eb458ec2fa5d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Oct 2025 18:02:42 +0200 Subject: [PATCH] Create root key if missing automatically Prepare tmpfiles.d script for creating /var/lib/unbound in case it is missing. Prepare link to root.key also. Resolves: RHEL-127540 --- tmpfiles-unbound-libs.conf | 2 ++ unbound.spec | 18 ++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) create mode 100644 tmpfiles-unbound-libs.conf diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf new file mode 100644 index 0000000..d71ea46 --- /dev/null +++ b/tmpfiles-unbound-libs.conf @@ -0,0 +1,2 @@ +d /var/lib/unbound 0755 unbound unbound - +L /var/lib/unbound/root.key - - - - ../../../etc/unbound/dnssec-root.key diff --git a/unbound.spec b/unbound.spec index 7ac5e05..3365001 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 21%{?extra_version:.%{extra_version}}%{?dist} +Release: 22%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -58,6 +58,7 @@ Source23: module-setup.sh Source24: unbound-initrd.conf Source25: unbound.sysusers Source26: unbound-as112-networks.conf +Source27: tmpfiles-unbound-libs.conf # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 Patch1: unbound-1.16-CVE-2022-3204.patch @@ -314,18 +315,19 @@ done pushd %{dir_primary} # install streamtcp man page -install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 -install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc popd # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf +install -p -m 0644 %{SOURCE27} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf # install root - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ -install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key +install -p -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +install -p -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key # local root zone fetch to separated configuration file install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/ @@ -492,6 +494,7 @@ popd %license doc/LICENSE %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %{_sysusersdir}/%{name}.conf +%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf %{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* %{_mandir}/man8/unbound-anchor* @@ -509,6 +512,9 @@ popd %{_prefix}/lib/dracut/modules.d/99unbound %changelog +* Tue Nov 11 2025 Petr Menšík - 1.16.2-22 +- Create root key if missing automatically (RHEL-127540) + * Mon Jul 28 2025 Tomas Korbar - 1.16.2-21 - Fix RebirthDay Attack (CVE-2025-5994) - Resolves: RHEL-104129