diff --git a/.cockpit-appstream.metadata b/.cockpit-appstream.metadata index 4a87ba9..995504e 100644 --- a/.cockpit-appstream.metadata +++ b/.cockpit-appstream.metadata @@ -1,2 +1,2 @@ -9c4eaceb65904809ba4ae1e03d71da01febf3053 SOURCES/cockpit-242.tar.xz -d01759da94df9218925297c608196b5c50b0c23b SOURCES/cockpit-machines-243.tar.gz +1730745862cb05d1550f07b29920d6b5ac8356a8 SOURCES/cockpit-244.1.tar.xz +f56e17bb4390e2c77d0463b846a2411af6b1e67e SOURCES/cockpit-machines-244.1.tar.gz diff --git a/.gitignore b/.gitignore index 2c204cd..dcc6476 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/cockpit-242.tar.xz -SOURCES/cockpit-machines-243.tar.gz +SOURCES/cockpit-244.1.tar.xz +SOURCES/cockpit-machines-244.1.tar.gz diff --git a/SPECS/cockpit-appstream.spec b/SPECS/cockpit-appstream.spec index 651cbfd..65e53af 100644 --- a/SPECS/cockpit-appstream.spec +++ b/SPECS/cockpit-appstream.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 242 +Version: 244.1 Release: 1%{?dist} # # Copyright (C) 2014-2020 Red Hat, Inc. @@ -35,7 +35,7 @@ Release: 1%{?dist} # by tools/gen-spec-dependencies during "make dist", but keep a hardcoded fallback %define required_base 122 -%define machines_version 243 +%define machines_version 244.1 # we generally want CentOS packages to be like RHEL; special cases need to check %{centos} explicitly %if 0%{?centos} @@ -84,6 +84,13 @@ Source1: https://github.com/cockpit-project/cockpit-machines/releases/dow %define build_optional 1 %endif +# Ship custom SELinux policy only in Fedora and RHEL-9 onward +%if 0%{?rhel} >= 9 || 0%{?fedora} +%define selinuxtype targeted +%define with_selinux 1 +%define selinux_policy_version %(rpm --quiet -q selinux-policy && rpm -q --queryformat "%{V}-%{R}" selinux-policy || echo 1) +%endif + BuildRequires: gcc BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(json-glib-1.0) @@ -128,6 +135,11 @@ BuildRequires: gdb # For documentation BuildRequires: xmlto +%if 0%{?with_selinux} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +%endif + # This is the "cockpit" metapackage. It should only # Require, Suggest or Recommend other cockpit-xxx subpackages @@ -169,6 +181,11 @@ exec 2>&1 make -j4 %{?extra_flags} all +%if 0%{?with_selinux} + make -f /usr/share/selinux/devel/Makefile cockpit.pp + bzip2 -9 cockpit.pp +%endif + %check exec 2>&1 # HACK: Fedora koji builders are very slow, unreliable, and inaccessible for debugging; https://github.com/cockpit-project/cockpit/issues/13909 @@ -194,6 +211,14 @@ install -p -m 644 tools/cockpit.pam $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/cockpit rm -f %{buildroot}/%{_libdir}/cockpit/*.so install -D -p -m 644 AUTHORS COPYING README.md %{buildroot}%{_docdir}/cockpit/ +%if 0%{?with_selinux} + install -D -m 644 %{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_session_selinux.8cockpit + install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_ws_selinux.8cockpit + # create this directory in the build root so that %ghost sees the desired mode + install -d -m 700 %{buildroot}%{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + # only ship deprecated PatternFly API for stable releases %if 0%{?fedora} <= 33 || 0%{?rhel} <= 8 ln -s cockpit.css.gz %{buildroot}/%{_datadir}/cockpit/base1/patternfly.css.gz @@ -255,6 +280,7 @@ echo '%dir %{_datadir}/cockpit/playground' > tests.list find %{buildroot}%{_datadir}/cockpit/playground -type f >> tests.list echo '%dir %{_datadir}/cockpit/static' > static.list +echo '%dir %{_datadir}/cockpit/static/fonts' >> static.list find %{buildroot}%{_datadir}/cockpit/static -type f >> static.list # when not building basic packages, remove their files @@ -299,8 +325,6 @@ sed -i "s|%{buildroot}||" *.list pushd %{buildroot}/%{_datadir}/cockpit/branding find -L * -type l -printf "%H\n" | sort -u | xargs rm -rv popd -# need this in SUSE as post build checks dislike stale symlinks -install -m 644 -D /dev/null %{buildroot}/run/cockpit/motd %else %global _debugsource_packages 1 %global _debuginfo_subpackages 0 @@ -398,10 +422,9 @@ Provides: cockpit-shell = %{version}-%{release} Provides: cockpit-systemd = %{version}-%{release} Provides: cockpit-tuned = %{version}-%{release} Provides: cockpit-users = %{version}-%{release} -Obsoletes: cockpit-dashboard +Obsoletes: cockpit-dashboard < %{version}-%{release} %if 0%{?rhel} Provides: cockpit-networkmanager = %{version}-%{release} -Obsoletes: cockpit-networkmanager Requires: NetworkManager >= 1.6 Provides: cockpit-kdump = %{version}-%{release} Requires: kexec-tools @@ -435,6 +458,10 @@ Summary: Cockpit Web Service Requires: glib-networking Requires: openssl Requires: glib2 >= 2.50.0 +%if 0%{?with_selinux} +Requires: (selinux-policy >= %{selinux_policy_version} if selinux-policy-%{selinuxtype}) +Requires(post): (policycoreutils if selinux-policy-%{selinuxtype}) +%endif Conflicts: firewalld < 0.6.0-1 Recommends: sscg >= 2.3 Recommends: system-logos @@ -457,10 +484,9 @@ authentication via sssd/FreeIPA. %dir %{_sysconfdir}/cockpit %config(noreplace) %{_sysconfdir}/cockpit/ws-certs.d %config(noreplace) %{_sysconfdir}/pam.d/cockpit -%config %{_sysconfdir}/issue.d/cockpit.issue -%config %{_sysconfdir}/motd.d/cockpit -%ghost /run/cockpit/motd -%ghost %dir /run/cockpit +# created in %post, so that users can rm the files +%ghost %{_sysconfdir}/issue.d/cockpit.issue +%ghost %{_sysconfdir}/motd.d/cockpit %dir %{_datadir}/cockpit/motd %{_datadir}/cockpit/motd/update-motd %{_datadir}/cockpit/motd/inactive.motd @@ -489,13 +515,40 @@ authentication via sssd/FreeIPA. %attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session %{_datadir}/cockpit/branding +%if 0%{?with_selinux} + %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + %{_mandir}/man8/%{name}_session_selinux.8cockpit.* + %{_mandir}/man8/%{name}_ws_selinux.8cockpit.* + %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + %pre ws getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance +%if 0%{?with_selinux} +if %{_sbindir}/selinuxenabled 2>/dev/null; then + %selinux_relabel_pre -s %{selinuxtype} +fi +%endif + %post ws +%if 0%{?with_selinux} +if %{_sbindir}/selinuxenabled 2>/dev/null; then + %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + +# set up dynamic motd/issue symlinks on first-time install; don't bring them back on upgrades if admin removed them +if [ "$1" = 1 ]; then + mkdir -p /etc/motd.d /etc/issue.d + ln -s /run/cockpit/motd /etc/motd.d/cockpit + ln -s /run/cockpit/motd /etc/issue.d/cockpit.issue +fi + %tmpfiles_create cockpit-tempfiles.conf %systemd_post cockpit.socket cockpit.service # firewalld only partially picks up changes to its services files without this @@ -505,6 +558,12 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true %systemd_preun cockpit.socket cockpit.service %postun ws +%if 0%{?with_selinux} +if %{_sbindir}/selinuxenabled 2>/dev/null; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif %systemd_postun_with_restart cockpit.socket cockpit.service # ------------------------------------------------------------------------------- @@ -684,6 +743,9 @@ via PackageKit. # The changelog is automatically generated and merged %changelog +* Tue May 18 2021 Martin Pitt - 244.1-1 +- Machines: Edit the MAC address of a VM’s network interface + * Fri Apr 16 2021 Martin Pitt - 242-1 - Updates: Show subscription status on cloud images (rhbz#1931429) - Machines: Allow creation of non-root user for unattended installations (rhbz#1940287)