diff --git a/.bind.metadata b/.bind.metadata index 330e630..6b7575c 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,2 +1,2 @@ +8f72710c243b713ba56930e0348cd0157716574e SOURCES/config-12.tar.bz2 d7be390e6c2546f37a7280e1975e1cd134565f62 SOURCES/bind-9.9.4.tar.gz -bece70f7e1d14d4a7ca23b4d111d736e10e5f1e2 SOURCES/config-11.tar.bz2 diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch new file mode 100644 index 0000000..7c62d87 --- /dev/null +++ b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch @@ -0,0 +1,27 @@ +diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in +--- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100 ++++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100 +@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in + # Check other locations for includes. + # Order is important (sigh). + +- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/" ++ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/" + for d in $bdb_incdirs + do + if test -f "$dd/include${d}db.h" +@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in + do + if test -f "$dd/${target_lib}/lib${d}.so" + then +- if test "$dd" != "/usr" +- then +- dlz_bdb_libs="-L${dd}/${target_lib} " +- else +- dlz_bdb_libs="" +- fi +- dlz_bdb_libs="${dlz_bdb_libs}-l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" + break + fi + done diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch deleted file mode 100644 index 1099fa4..0000000 --- a/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up bind-9.9.1-P2/contrib/dlz/config.dlz.in.libdb4 bind-9.9.1-P2/contrib/dlz/config.dlz.in ---- bind-9.9.1-P2/contrib/dlz/config.dlz.in.libdb4 2012-07-30 16:58:57.566418514 +0200 -+++ bind-9.9.1-P2/contrib/dlz/config.dlz.in 2012-07-30 17:30:10.930074108 +0200 -@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in - # Check other locations for includes. - # Order is important (sigh). - -- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/" -+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb4/ /db/" - for d in $bdb_incdirs - do - if test -f "$dd/include${d}db.h" -@@ -281,15 +281,9 @@ case "$use_dlz_bdb" in - bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test -f "$dd/${target_lib}/lib${d}.so" -+ if test -f "$dd/${target_lib}/libdb4/lib${d}.so" - then -- if test "$dd" != "/usr" -- then -- dlz_bdb_libs="-L${dd}/${target_lib} " -- else -- dlz_bdb_libs="" -- fi -- dlz_bdb_libs="${dlz_bdb_libs}-l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb4 -l${d}" - break - fi - done diff --git a/SOURCES/bind99-CVE-2014-0591.patch b/SOURCES/bind99-CVE-2014-0591.patch new file mode 100644 index 0000000..ba225b1 --- /dev/null +++ b/SOURCES/bind99-CVE-2014-0591.patch @@ -0,0 +1,53 @@ +diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c +--- bind-9.9.4-P1/bin/named/query.c 2013-10-16 01:04:32.000000000 +0200 ++++ bind-9.9.4-P2/bin/named/query.c 2013-12-20 01:28:28.000000000 +0100 +@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname + dns_fixedname_t fixed; + dns_hash_t hash; + dns_name_t name; +- int order; +- unsigned int count; ++ unsigned int skip = 0, labels; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_boolean_t optout; +@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname + + dns_name_init(&name, NULL); + dns_name_clone(qname, &name); ++ labels = dns_name_countlabels(&name); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); + +@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname + dns_rdata_reset(&rdata); + optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); + if (found != NULL && optout && +- dns_name_fullcompare(&name, dns_db_origin(db), &order, +- &count) == dns_namereln_subdomain) { ++ dns_name_issubdomain(&name, dns_db_origin(db))) ++ { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); +- count = dns_name_countlabels(&name) - 1; +- dns_name_getlabelsequence(&name, 1, count, &name); ++ skip++; ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ &name); + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), + "looking for closest provable encloser"); +@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected covering NSEC3, got an exact match"); +- if (found != NULL) ++ if (found == qname) { ++ if (skip != 0U) ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ found); ++ } else if (found != NULL) + dns_name_copy(&name, found, NULL); + return; + } diff --git a/SOURCES/bind99-ISC-Bugs-35073.patch b/SOURCES/bind99-ISC-Bugs-35073.patch new file mode 100644 index 0000000..c8be3ed --- /dev/null +++ b/SOURCES/bind99-ISC-Bugs-35073.patch @@ -0,0 +1,31 @@ +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 486c102..dc12a85 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -1566,16 +1566,20 @@ evaluate_realm(char *cmdline) { + #ifdef GSSAPI + char *word; + char buf[1024]; ++ int n; + +- word = nsu_strsep(&cmdline, " \t\r\n"); +- if (word == NULL || *word == 0) { +- if (realm != NULL) +- isc_mem_free(mctx, realm); ++ if (realm != NULL) { ++ isc_mem_free(mctx, realm); + realm = NULL; +- return (STATUS_MORE); + } + +- snprintf(buf, sizeof(buf), "@%s", word); ++ word = nsu_strsep(&cmdline, " \t\r\n"); ++ if (word == NULL || *word == 0) ++ return (STATUS_MORE); ++ ++ n = snprintf(buf, sizeof(buf), "@%s", word); ++ if (n < 0 || (size_t)n >= sizeof(buf)) ++ fatal("realm is too long"); + realm = isc_mem_strdup(mctx, buf); + if (realm == NULL) + fatal("out of memory"); diff --git a/SOURCES/bind99-ISC-Bugs-35080.patch b/SOURCES/bind99-ISC-Bugs-35080.patch new file mode 100644 index 0000000..14c383f --- /dev/null +++ b/SOURCES/bind99-ISC-Bugs-35080.patch @@ -0,0 +1,42 @@ +commit 3a2ea636103eaf40404fb82f228605d384c36434 +Author: Mark Andrews +Date: Tue Dec 17 09:08:59 2013 +1100 + + 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there + was no data at the node. [RT #35080] + + (cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 2dd4aa0..941b77e 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + + nodelock = &rbtdb->node_locks[bucket]; + ++#define KEEP_NODE(n, r) \ ++ ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node) ++ + /* Handle easy and typical case first. */ +- if (!node->dirty && (node->data != NULL || node->down != NULL)) { ++ if (!node->dirty && KEEP_NODE(node, rbtdb)) { + dns_rbtnode_refdecrement(node, &nrefs); + INSIST((int)nrefs >= 0); + if (nrefs == 0) { +@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + isc_refcount_decrement(&nodelock->references, &refs); + INSIST((int)refs >= 0); + +- /* +- * XXXDCL should this only be done for cache zones? +- */ +- if (node->data != NULL || node->down != NULL) ++ if (KEEP_NODE(node, rbtdb)) + goto restore_locks; + ++#undef KEEP_NODE ++ + if (write_locked) { + /* + * We can now delete the node. diff --git a/SOURCES/named-chroot-setup.service b/SOURCES/named-chroot-setup.service new file mode 100644 index 0000000..9870a88 --- /dev/null +++ b/SOURCES/named-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named (DNS) +BindsTo=named-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off diff --git a/SOURCES/named-chroot.service b/SOURCES/named-chroot.service index f11533c..39d3700 100644 --- a/SOURCES/named-chroot.service +++ b/SOURCES/named-chroot.service @@ -5,8 +5,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Requires=named-chroot-setup.service Before=nss-lookup.target After=network.target +After=named-chroot-setup.service [Service] Type=forking @@ -14,15 +16,12 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/var/named/chroot/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh -ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' -ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off PrivateTmp=false diff --git a/SOURCES/named-sdb-chroot-setup.service b/SOURCES/named-sdb-chroot-setup.service new file mode 100644 index 0000000..0967a60 --- /dev/null +++ b/SOURCES/named-sdb-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named-sdb +BindsTo=named-sdb-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off diff --git a/SOURCES/named-sdb-chroot.service b/SOURCES/named-sdb-chroot.service index 23b632b..09b7974 100644 --- a/SOURCES/named-sdb-chroot.service +++ b/SOURCES/named-sdb-chroot.service @@ -1,28 +1,27 @@ -# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" +# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log" # line to your /etc/rsyslog.conf file. Otherwise your logging becomes # broken when rsyslogd daemon is restarted (due update, for example). [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Requires=named-sdb-chroot-setup.service Before=nss-lookup.target After=network.target +After=named-sdb-chroot-setup.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab -PIDFile=/var/named/chroot/run/named/named.pid +PIDFile=/var/named/chroot_sdb/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh -ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on -ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf -ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot $OPTIONS +ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot_sdb -z /etc/named.conf +ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot_sdb $OPTIONS ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' -ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off PrivateTmp=false diff --git a/SOURCES/named-sdb.service b/SOURCES/named-sdb.service index ef3f6ab..e0cd31c 100644 --- a/SOURCES/named-sdb.service +++ b/SOURCES/named-sdb.service @@ -1,8 +1,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Wants=named-setup-rndc.service Before=nss-lookup.target After=network.target +After=named-setup-rndc.service [Service] Type=forking @@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf ExecStart=/usr/sbin/named-sdb -u named $OPTIONS diff --git a/SOURCES/named-setup-rndc.service b/SOURCES/named-setup-rndc.service new file mode 100644 index 0000000..ff85e3c --- /dev/null +++ b/SOURCES/named-setup-rndc.service @@ -0,0 +1,7 @@ +[Unit] +Description=Generate rndc key for BIND (DNS) + +[Service] +Type=oneshot + +ExecStart=/usr/libexec/generate-rndc-key.sh diff --git a/SOURCES/named.conf.sample b/SOURCES/named.conf.sample index 038e712..aee040a 100644 --- a/SOURCES/named.conf.sample +++ b/SOURCES/named.conf.sample @@ -71,7 +71,10 @@ options /* Enable DLV by default, use built-in ISC DLV key. */ dnssec-lookaside auto; + /* In RHEL-7 we use /run/named instead of default /var/run/named + so we have to configure paths properly. */ pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; managed-keys-directory "/var/named/dynamic"; }; diff --git a/SOURCES/named.rwtab b/SOURCES/named.rwtab new file mode 100644 index 0000000..2cb3a41 --- /dev/null +++ b/SOURCES/named.rwtab @@ -0,0 +1,6 @@ +dirs /var/named + +files /var/named/named.ca +files /var/named/named.empty +files /var/named/named.localhost +files /var/named/named.loopback diff --git a/SOURCES/named.service b/SOURCES/named.service index f04403b..7e48c89 100644 --- a/SOURCES/named.service +++ b/SOURCES/named.service @@ -1,8 +1,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Wants=named-setup-rndc.service Before=nss-lookup.target After=network.target +After=named-setup-rndc.service [Service] Type=forking @@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf ExecStart=/usr/sbin/named -u named $OPTIONS diff --git a/SOURCES/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh index 6071f75..8de494b 100755 --- a/SOURCES/setup-named-chroot.sh +++ b/SOURCES/setup-named-chroot.sh @@ -44,7 +44,7 @@ mount_chroot_conf() # Mount source is a directory. Mount it only if directory in chroot is # empty. if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then - mount --bind "$all" "$ROOTDIR$all" + mount --bind --make-private "$all" "$ROOTDIR$all" fi fi done diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 461cb86..aa4cc64 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -21,12 +21,15 @@ %{?!DEVEL: %global DEVEL 1} %global bind_dir /var/named %global chroot_prefix %{bind_dir}/chroot +%if %{SDB} +%global chroot_sdb_prefix %{bind_dir}/chroot_sdb +%endif # Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: ISC Version: 9.9.4 -Release: 4%{?PATCHVER}%{?PREVER}%{?dist} +Release: 14%{?PATCHVER}%{?PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -40,7 +43,7 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: dnszone.schema Source12: README.sdb_pgsql Source25: named.conf.sample -Source28: config-11.tar.bz2 +Source28: config-12.tar.bz2 Source30: ldap2zone.c Source31: ldap2zone.1 Source32: named-sdb.8 @@ -54,6 +57,10 @@ Source39: named-sdb.service Source40: named-sdb-chroot.service Source41: setup-named-chroot.sh Source42: generate-rndc-key.sh +Source43: named.rwtab +Source44: named-chroot-setup.service +Source45: named-sdb-chroot-setup.service +Source46: named-setup-rndc.service # Common patches Patch5: bind-nonexec.patch @@ -74,7 +81,7 @@ Patch123:bind98-rh735103.patch Patch124:nslookup-norec.patch Patch125:bind99-buildfix.patch Patch127:bind99-forward.patch -Patch130:bind-9.9.1-P2-dlz-libdb4.patch +Patch130:bind-9.9.1-P2-dlz-libdb.patch Patch131:bind-9.9.1-P2-multlib-conflict.patch Patch133:bind99-rh640538.patch Patch134:bind97-rh669163.patch @@ -83,6 +90,9 @@ Patch137:bind99-rrl.patch Patch138:bind-9.9.3-include-update-h.patch Patch139:bind99-ISC-Bugs-34738.patch Patch140:bind99-ISC-Bugs-34870-v3.patch +Patch141:bind99-ISC-Bugs-35073.patch +Patch142:bind99-ISC-Bugs-35080.patch +Patch143:bind99-CVE-2014-0591.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -119,7 +129,7 @@ BuildRequires: libidn-devel, libxml2-devel BuildRequires: systemd-units %if %{SDB} BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel -BuildRequires: db4-devel +BuildRequires: libdb-devel %endif %if %{test} BuildRequires: net-tools @@ -246,6 +256,21 @@ This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak +%if %{SDB} +%package sdb-chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8) +Group: System Environment/Daemons +Prefix: %{chroot_prefix} +Requires: bind-sdb +Requires: systemd-units + +%description sdb-chroot +This package contains a tree of files which can be used as a +chroot(2) jail for the named-sdb(8) program from the BIND package. +Based on the code from Jan "Yenya" Kasprzak +%endif + + %prep %setup -q -n %{name}-%{VERSION} @@ -277,12 +302,15 @@ pushd bin/dig popd %patch125 -p1 -b .buildfix %patch127 -p1 -b .forward -%patch130 -p1 -b .libdb4 +%patch130 -p1 -b .libdb %patch131 -p1 -b .multlib-conflict %patch137 -p1 -b .rrl %patch138 -p1 -b .update %patch139 -p1 -b .journal %patch140 -p1 -b .send_buffers +%patch141 -p1 -b .leak_35073 +%patch142 -p1 -b .rbt_crash +%patch143 -p1 -b .CVE-2014-059 %if %{SDB} %patch101 -p1 -b .old-api @@ -344,6 +372,7 @@ libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f --localstatedir=/var \ --enable-threads \ --enable-ipv6 \ + --enable-filter-aaaa \ --enable-rrl \ --with-pic \ --disable-static \ @@ -416,6 +445,12 @@ mkdir -p ${RPM_BUILD_ROOT}/var/log #chroot mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var,run/named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,tmp} + +# create symlink as it is on real filesystem +pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var +ln -s ../run run +popd + mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named} mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind # these are required to prevent them being erased during upgrade of previous @@ -428,6 +463,29 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/localtime touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf #end chroot +#sdb-chroot +%if %{SDB} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp} + +# create symlink as it is on real filesystem +pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var +ln -s ../run run +popd + +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind +# these are required to prevent them being erased during upgrade of previous +# versions that included them (bug #130121): +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/localtime + +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf +%endif +#end sdb-chroot + make DESTDIR=${RPM_BUILD_ROOT} install # Remove unwanted files @@ -437,10 +495,14 @@ rm -f ${RPM_BUILD_ROOT}/etc/bind.keys mkdir -p ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} + %if %{SDB} install -m 644 %{SOURCE39} ${RPM_BUILD_ROOT}%{_unitdir} -%endif install -m 644 %{SOURCE40} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE45} ${RPM_BUILD_ROOT}%{_unitdir} +%endif mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh @@ -511,6 +573,9 @@ done mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/tmpfiles.d install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_sysconfdir}/tmpfiles.d/named.conf +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d +install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named + %pre if [ "$1" -eq 1 ]; then /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; @@ -574,7 +639,6 @@ fi %post chroot %systemd_post named-chroot.service -%systemd_post named-sdb-chroot.service if [ "$1" -gt 0 ]; then [ -e %{chroot_prefix}/dev/random ] || \ /bin/mknod %{chroot_prefix}/dev/random c 1 8 @@ -595,7 +659,6 @@ fi; %preun chroot %systemd_preun named-chroot.service -%systemd_preun named-sdb-chroot.service if [ "$1" -eq 0 ]; then # Package removal, not upgrade rm -f %{chroot_prefix}/dev/{random,zero,null} @@ -606,8 +669,45 @@ fi %postun chroot # Package upgrade, not uninstall %systemd_postun_with_restart named-chroot.service + + +%if %{SDB} + +%post sdb-chroot +%systemd_post named-sdb-chroot.service +if [ "$1" -gt 0 ]; then + [ -e %{chroot_sdb_prefix}/dev/random ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8 + [ -e %{chroot_sdb_prefix}/dev/zero ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5 + [ -e %{chroot_sdb_prefix}/dev/null ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3 + rm -f %{chroot_sdb_prefix}/etc/localtime + cp /etc/localtime %{chroot_sdb_prefix}/etc/localtime +fi; +:; + +%posttrans sdb-chroot +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_sdb_prefix}/dev/* > /dev/null 2>&1; +fi; +:; + +%preun sdb-chroot +%systemd_preun named-sdb-chroot.service +if [ "$1" -eq 0 ]; then + # Package removal, not upgrade + rm -f %{chroot_sdb_prefix}/dev/{random,zero,null} + rm -f %{chroot_sdb_prefix}/etc/localtime +fi +:; + +%postun sdb-chroot +# Package upgrade, not uninstall %systemd_postun_with_restart named-sdb-chroot.service +%endif + %clean rm -rf ${RPM_BUILD_ROOT} :; @@ -619,7 +719,9 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.iscdlv.key %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key %{_sysconfdir}/tmpfiles.d/named.conf +%{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service +%{_unitdir}/named-setup-rndc.service %{_sysconfdir}/NetworkManager/dispatcher.d/13-named %{_sbindir}/arpaname %{_sbindir}/ddns-confgen @@ -749,7 +851,7 @@ rm -rf ${RPM_BUILD_ROOT} %files chroot %defattr(-,root,root,-) %{_unitdir}/named-chroot.service -%{_unitdir}/named-sdb-chroot.service +%{_unitdir}/named-chroot-setup.service %{_libexecdir}/setup-named-chroot.sh %ghost %{chroot_prefix}/dev/null %ghost %{chroot_prefix}/dev/random @@ -771,9 +873,41 @@ rm -rf ${RPM_BUILD_ROOT} %dir %{chroot_prefix}/run/named %dir %{chroot_prefix}/var/tmp %dir %{chroot_prefix}/var/log +%{chroot_prefix}/var/run %dir %{chroot_prefix}/usr %dir %{chroot_prefix}/%{_libdir} +%if %{SDB} +%files sdb-chroot +%defattr(-,root,root,-) +%{_unitdir}/named-sdb-chroot.service +%{_unitdir}/named-sdb-chroot-setup.service +%{_libexecdir}/setup-named-chroot.sh +%ghost %{chroot_sdb_prefix}/dev/null +%ghost %{chroot_sdb_prefix}/dev/random +%ghost %{chroot_sdb_prefix}/dev/zero +%ghost %{chroot_sdb_prefix}/etc/localtime +%defattr(0640,root,named,0750) +%dir %{chroot_sdb_prefix} +%dir %{chroot_sdb_prefix}/dev +%dir %{chroot_sdb_prefix}/etc +%dir %{chroot_sdb_prefix}/etc/named +%dir %{chroot_sdb_prefix}/etc/pki +%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys +%dir %{chroot_sdb_prefix}/var +%dir %{chroot_sdb_prefix}/run +%dir %{chroot_sdb_prefix}/var/named +%dir %{chroot_sdb_prefix}/%{_libdir}/bind +%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf +%defattr(0660,named,named,0770) +%dir %{chroot_sdb_prefix}/run/named +%dir %{chroot_sdb_prefix}/var/tmp +%dir %{chroot_sdb_prefix}/var/log +%{chroot_sdb_prefix}/var/run +%dir %{chroot_sdb_prefix}/usr +%dir %{chroot_sdb_prefix}/%{_libdir} +%endif + %if %{PKCS11} %files pkcs11 %defattr(-,root,root,-) @@ -785,6 +919,40 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Fri Jan 24 2014 Daniel Mach - 32:9.9.4-14 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Honza Horak - 32:9.9.4-13 +- Rebuild for mariadb-libs + Related: #1045013 + +* Tue Jan 14 2014 Tomas Hozza 32:9.9.4-12 +- Fix CVE-2014-0591 + +* Mon Jan 06 2014 Tomas Hozza 32:9.9.4-11 +- Build against libdb instead of libdb4 (#1044990) + +* Fri Dec 27 2013 Daniel Mach - 32:9.9.4-10 +- Mass rebuild 2013-12-27 + +* Wed Dec 18 2013 Tomas Hozza 32:9.9.4-9 +- Fix crash in rbtdb after two sucessive getoriginnode() calls (#1044026) + +* Tue Dec 17 2013 Tomas Hozza 32:9.9.4-8 +- Split chroot package for named and named-sdb +- Extract setting-up/destroying of chroot to a separate systemd service (#1004300) + +* Thu Dec 05 2013 Tomas Hozza 32:9.9.4-7 +- Create symlink /var/named/chroot/var/run -> /var/named/chroot/run (#1024384) +- Added session-keyfile statement into default named.conf since we use /run/named (#1024384) + +* Thu Nov 28 2013 Tomas Hozza 32:9.9.4-6 +- Fixed memory leak in nsupdate if 'realm' was used multiple times (#1034824) + +* Tue Nov 12 2013 Tomas Hozza 32:9.9.4-5 +- Install configuration for rwtab and fix chroot setup script (#1028189) +- use --enable-filter-aaaa when building bind to enable filter-aaaa-on-v4 option (#1025245) + * Thu Oct 31 2013 Tomas Hozza 32:9.9.4-4 - Correct the patch for #1020683