%{?dist: %{expand: %%define %dist 1}} Summary: Qmail statistcs Name: qsstat Version: 0.3.1 Release: 1 License: GPL Group: System/Base URL: http://www.grsecurity.net/ Source0: gradm-2.1.9-200608201448.tar.gz Source1: chpax-%{chpax_ver}.tar.gz Source2: nptl.sh BuildRoot: %{_tmppath}/%{name}-buildroot #BuildRequires: binutils flex findutils byacc bison %description grsecurity aims to be a complete security system for Linux. gradm performs several tasks for the ACL system including authen- ticated via a password to the kernel and parsing ACLs to be passed to the kernel. %prep %setup -q -n %{name}2 %setup -q -n %{name}2 -D -T -a 1 %build %{__make} cd chpax-%{chpax_ver} %{__make} cd .. %install [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} make DESTDIR="%{buildroot}" install cd chpax-%{chpax_ver} %{__make} DESTDIR="%{buildroot}" install cd .. %if %{with_nptl} %{__mkdir_p} %{buildroot}%{_sysconfdir}/profile.d/ install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/nptl.sh %endif %clean [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} # sitebuilder-core needs exec stack %triggerin -- sitebuilder-core if [ -x /usr/bin/execstack ]; then execstack -c /usr/lib/php4/sitebuilder.so fi # php-ioncube-loader %triggerin -- php-ioncube-loader if [ -x /usr/bin/execstack ]; then find /usr/lib/php4/ -name php_ioncube* -exec execstack -c {} \; fi # drweb needs mprotect() %triggerin -- drweb if [ -f /opt/drweb/drwebd ]; then service drweb stop 1> /dev/null 2>&1 chpax -m /opt/drweb/drwebd service drweb start 1> /dev/null 2>&1 fi # fix permissions on psa bin dir %triggerin -- psa if [ -d /usr/local/psa/bin ]; then chown root.root /usr/local/psa/bin fi if [ -f /usr/local/psa/bin/chrootsh ]; then chown root.root /usr/local/psa/bin/chrootsh chmod 4755 /usr/local/psa/bin/chrootsh fi # fix beeencrypt stack execution %triggerin -- beecrypt if [ -x /usr/bin/execstack ]; then if [ -f /usr/lib/libbeecrypt.so.*.*.* ]; then execstack -c /usr/lib/libbeecrypt.so.*.*.* fi fi # fix stack execution on mysql on 2.6 kernels %triggerin -- mysql if [ -x /usr/bin/execstack ]; then find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 #execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1 #execstack -c /usr/lib/libmysqlclient* 1>/dev/null 2>&1 fi # CentOS4/RHEL4 have a problem with bdb in mysql %{?rhel4:if ! grep -q "^skip-bdb" /etc/my.cnf; then } %{?rhel4: sed -e 's/\[mysqld\]/\[mysqld\]\nskip-bdb/' /etc/my.cnf > /etc/my.cnf.atomicorp } %{?rhel4: mv -f /etc/my.cnf.atomicorp /etc/my.cnf } %{?rhel4:fi } %triggerin -- mysql-compat if [ -x /usr/bin/execstack ]; then find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 # execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1 # execstack -c /usr/lib/libmysqlclient.so.10.0.0 1>/dev/null 2>&1 fi # Fix frontpage perms %triggerin -- frontpage if [ -d /usr/local/frontpage ]; then chown -R root.root /usr/local/frontpage/version*/* fi # Fix courier-imap perms %triggerin -- courier-imap if [ -d /usr/lib/courier-imap ]; then chown -R root.root /usr/lib/courier-imap/ fi # Fix mailman perms %triggerin -- mailman if [ -d /usr/lib/mailman/cgi-bin ];then chown root.root /usr/lib/mailman chown root.root /usr/lib/mailman/cgi-bin chown root.root /usr/lib/mailman/cron chmod 755 /usr/lib/mailman/cgi-bin chmod 755 /usr/lib/mailman/cron chmod 755 /usr/lib/mailman/mail fi if [ -d /var/mailman/cgi-bin ];then chown root.root /var/mailman chown root.root /var/mailman/cgi-bin chown root.root /var/mailman/cron chmod 755 /var/mailman/cgi-bin chmod 755 /var/mailman/cron chmod 755 /var/mailman/mail fi # Fix php-xslt %triggerin -- php-xslt if [ -f /usr/lib/php4/xslt.so ]; then if [ -x /usr/bin/execstack ]; then execstack -c /usr/lib/php4/xslt.so fi fi # Fix X %triggerin -- XFree86 if [ -f /usr/X11R6/bin/XFree86 ]; then chpax -emsrpx /usr/X11R6/bin/XFree86 fi # Plesk PAM rpm %triggerin -- psa-libpam-plesk if [ -f //lib/security/pam_plesk.so ]; then execstack -c //lib/security/pam_plesk.so fi # Java %triggerin -- j2sdk killall -9 java >/dev/null 2>&1 if [ -f /usr/java/j2sdk*/bin/java ]; then chpax -emsrpx /usr/java/j2sdk*/bin/java fi if [ -f /usr/java/j2sdk*/bin/javac ]; then chpax -emsrpx /usr/java/j2sdk*/bin/javac fi if [ -f /usr/lib/jvm/java*/bin/java ]; then chpax -emsrpx /usr/lib/jvm/java*/bin/java fi if [ -f /usr/lib/jvm/java*/bin/javac ]; then chpax -emsrpx /usr/lib/jvm/java*/bin/javac fi %triggerin -- java-1.4.2-sun if [ -f /usr/lib/jvm/java*/bin/java ]; then chpax -emsrpx /usr/lib/jvm/java*/bin/java fi if [ -f /usr/lib/jvm/java*/bin/javac ]; then chpax -emsrpx /usr/lib/jvm/java*/bin/javac fi # untrusted users trigger %triggerin -- httpd snort mailman gdm mysql-server postgres qmail psa-qmail psa openssh USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc" for i in $USERS; do if grep -q ^$i /etc/passwd; then if groups $i |grep -qv untrusted; then /usr/sbin/usermod -G untrusted`groups $i | awk -F: '{print $2}' |sed 's/ /,/g'` $i 1>/dev/null 2>&1 fi fi done %post if [ -e /dev/grsec ]; then rm -f /dev/grsec /bin/mknod -m 0622 /dev/grsec c 1 13 else /bin/mknod -m 0622 /dev/grsec c 1 13 fi # create the untrusted user groups if ! grep -q "^untrusted:" /etc/group; then /usr/sbin/groupadd -g 1005 -r -f untrusted fi if ! grep -q "^socket:" /etc/group; then /usr/sbin/groupadd -g 1004 -r -f socket fi if ! grep -q "^server:" /etc/group; then /usr/sbin/groupadd -g 1003 -r -f server fi if ! grep -q "^client:" /etc/group; then /usr/sbin/groupadd -g 1002 -r -f client fi USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc" for i in $USERS; do if grep -q ^$i /etc/passwd; then if groups $i |grep -qv untrusted; then /usr/sbin/usermod -G untrusted`groups $i | awk -F: '{print $2}' |sed 's/ /,/g'` $i 1>/dev/null 2>&1 fi fi done # switch SELinux into warn mode if it is enabled # currently disabling selinux from the kernel rpm in grub.conf if [ -f /etc/sysconfig/selinux ]; then if grep -q ^SELINUX=enforcing /etc/sysconfig/selinux; then sed s/^SELINUX=enforcing/SELINUX=permissive/ /etc/sysconfig/selinux > /etc/sysconfig/selinux.tmp mv -f /etc/sysconfig/selinux.tmp /etc/sysconfig/selinux fi fi # Ioncube fix if [ -d /usr/local/ioncube ]; then find /usr/local/ioncube -name \*so -exec execstack -c {} \; >/dev/null 2>&1 fi %files %defattr(-,root,root) %dir %{_sysconfdir}/grsec %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/learn_config %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/policy %attr(0754,root,root) /sbin/%{name} %attr(0754,root,root) /sbin/grlearn %attr(0754,root,root) /sbin/chpax #%{?rh90: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc1: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc2: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc3: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc4: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhel3: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhel4: %attr(0754,root,root) /sbin/gradm_pam} %attr(0754,root,root) /sbin/gradm_pam %attr(0644,root,root) %{_mandir}/man8/%{name}.8* %attr(0644,root,root) %{_mandir}/man1/chpax.1.gz* %if %{with_nptl} %attr(0755,root,root) /etc/profile.d/nptl.sh %endif %changelog * Wed Sep 13 2006 Scott R. Shinn 2.1.9-1 - update to gradm-2.1.9-200608201448 - trigger update for sun jre * Sat Mar 4 2006 Scott R. Shinn 2.1.8 - update to 2.1.8-200601212342 - major trigger updates * Tue Jan 3 2006 Scott R. Shinn 2.1.7 - update to 2.1.7-200511041858 - mailman trigger update for FC4/4ES layout - php-xslt trigger - install-only check for manual install of ioncube loader * Sat Sep 10 2005 Scott R. Shinn 2.1.6-13 - further refinement of untrusted trigger * Sat Sep 10 2005 Scott R. Shinn 2.1.6-12 - fix for mysql triggers on shared objects * Sat Sep 10 2005 Scott R. Shinn 2.1.6-11 - bugfix in untrusted group routine, this should fix group removal issues in the future * Thu Sep 1 2005 Scott R. Shinn - add in untrusted groups creation, and expanded it into a trigger - add in check for selinux enforce mode, set to permissive if detected * Sun Aug 28 2005 Scott R. Shinn - update to 2.1.6 * Tue Jun 7 2005 Scott R. Shinn - execstack trigger for mysql-compat * Tue May 24 2005 Scott R. Shinn - execstack trigger added for mysql * Mon May 23 2005 Scott R. Shinn - psa trigger addition * Sun May 15 2005 Scott R. Shinn - update to gradm-2.1.5-200504081812 - mknod fix * Tue May 10 2005 Scott R. Shinn - Added nptl.sh script * Mon Mar 28 2005 Scott R. Shinn - updated to 2.1.4 - removed SLS specific modifications - added chpax 0.7 * Fri Jan 23 2004 Vincent Danen 2.0-0.5sls - OpenSLS build - tidy spec - remove %%_prefix * Tue Dec 30 2003 Michael Scherer 2.0-0.4mdk - fix [DIRM] %{_sysconfdir}/grsec * Thu Nov 20 2003 Thomas Backlund 2.0-0.3mdk - rc3 * Thu Sep 18 2003 Thomas Backlund 2.0-0.2mdk - move devfs checks to %post from makefile * Wed Sep 17 2003 Thomas Backlund 2.0-0.1mdk - initial cooker contrib - gradm 2.0-rc2 - spec based on 1.9.9d rpm package by Oden Eriksson that never got uploaded due to kernel mismatch