diff --git a/cockpit.changes b/cockpit.changes index e24610f..16789ee 100644 --- a/cockpit.changes +++ b/cockpit.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Mar 4 13:24:23 UTC 2024 - Adam Majer + +- cockpit.pam: respect /etc/cockpit/disallowed-users + This means by default root cannot login with password to cockpit + (bsc#1216080) + +------------------------------------------------------------------- +Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu + +- Remove SELinux file context for /usr/bin/cockpit-bridge, this + is already defined in the main selinux-policy package (bsc#1220385). + Modified selinux_libdir.patch + +------------------------------------------------------------------- +Mon Feb 26 10:52:55 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + ------------------------------------------------------------------- Thu Feb 15 12:21:55 UTC 2024 - Adam Majer diff --git a/cockpit.pam b/cockpit.pam index 9cbc8ed..376d79f 100644 --- a/cockpit.pam +++ b/cockpit.pam @@ -1,5 +1,7 @@ #%PAM-1.0 auth substack common-auth +# List of users to deny access to Cockpit, by default root is included. +auth required pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed account required pam_nologin.so account include common-account password include common-password diff --git a/cockpit.spec b/cockpit.spec index 43102e7..383e07e 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -242,24 +242,24 @@ BuildRequires: python3-tox-current-env %prep %setup -q -n cockpit-%{version} -a 3 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 # SLE Micro specific patches %if 0%{?is_smo} -%patch101 -p1 +%patch -P 101 -p1 # Patches for versions lower then SLE Micro 5.5 %if 0%{?sle_version} < 150500 -%patch102 -p1 +%patch -P 102 -p1 %endif %endif # For anything based on SLES 15 codebase (including Leap, SLEM) %if 0%{?suse_version} == 1500 -%patch103 -p1 -%patch104 -p0 +%patch -P 103 -p1 +%patch -P 104 -p0 %endif cp %SOURCE1 tools/cockpit.pam diff --git a/selinux_libdir.patch b/selinux_libdir.patch index 426a11c..a082010 100644 --- a/selinux_libdir.patch +++ b/selinux_libdir.patch @@ -1,6 +1,6 @@ ---- selinux_bak/cockpit.fc 2023-09-11 15:16:38.603758530 +0200 -+++ selinux/cockpit.fc 2023-09-12 09:03:09.539025240 +0200 -@@ -2,11 +2,25 @@ +--- selinux_bak/cockpit.fc 2024-02-28 13:34:16.748028079 +0100 ++++ selinux/cockpit.fc 2024-02-28 13:35:10.425549063 +0100 +@@ -2,11 +2,24 @@ /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) /usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) @@ -11,7 +11,6 @@ +/usr/lib/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +# missing libexec transition on SLE Micro -+/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-askpass -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-certificate-ensure -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-certificate-helper -- gen_context(system_u:object_r:bin_t,s0)