Accepting request 1154833 from systemsmanagement:cockpit

- cockpit.pam: respect /etc/cockpit/disallowed-users
  This means by default root cannot login with password to cockpit
  (bsc#1216080)

- Remove SELinux file context for /usr/bin/cockpit-bridge, this
  is already defined in the main selinux-policy package (bsc#1220385).
  Modified selinux_libdir.patch

- Use %patch -P N instead of deprecated %patchN.

OBS-URL: https://build.opensuse.org/request/show/1154833
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cockpit?expand=0&rev=42

cockpit.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Mar  4 13:24:23 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- cockpit.pam: respect /etc/cockpit/disallowed-users
+  This means by default root cannot login with password to cockpit
+  (bsc#1216080)
+
+-------------------------------------------------------------------
+Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Remove SELinux file context for /usr/bin/cockpit-bridge, this
+  is already defined in the main selinux-policy package (bsc#1220385).
+  Modified selinux_libdir.patch
+
+-------------------------------------------------------------------
+Mon Feb 26 10:52:55 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %patch -P N instead of deprecated %patchN.
+
 -------------------------------------------------------------------
 Thu Feb 15 12:21:55 UTC 2024 - Adam Majer <adam.majer@suse.de>
 

cockpit.pam

@@ -1,5 +1,7 @@
 #%PAM-1.0
 auth substack common-auth
+# List of users to deny access to Cockpit, by default root is included.
+auth    required pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed
 account required pam_nologin.so
 account include common-account
 password include common-password

cockpit.spec

@@ -242,24 +242,24 @@ BuildRequires:  python3-tox-current-env
 
 %prep
 %setup -q -n cockpit-%{version} -a 3
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
 
 # SLE Micro specific patches
 %if 0%{?is_smo}
-%patch101 -p1
+%patch -P 101 -p1
 # Patches for versions lower then SLE Micro 5.5
 %if 0%{?sle_version} < 150500
-%patch102 -p1
+%patch -P 102 -p1
 %endif
 %endif
 # For anything based on SLES 15 codebase (including Leap, SLEM)
 %if 0%{?suse_version} == 1500
-%patch103 -p1
-%patch104 -p0
+%patch -P 103 -p1
+%patch -P 104 -p0
 %endif
 
 cp %SOURCE1 tools/cockpit.pam

selinux_libdir.patch

@@ -1,6 +1,6 @@
---- selinux_bak/cockpit.fc	2023-09-11 15:16:38.603758530 +0200
-+++ selinux/cockpit.fc	2023-09-12 09:03:09.539025240 +0200
-@@ -2,11 +2,25 @@
+--- selinux_bak/cockpit.fc	2024-02-28 13:34:16.748028079 +0100
++++ selinux/cockpit.fc	2024-02-28 13:35:10.425549063 +0100
+@@ -2,11 +2,24 @@
  /etc/systemd/system/cockpit.*	--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
  
  /usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
@@ -11,7 +11,6 @@
 +/usr/lib/cockpit-wsinstance-factory	--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
 +
 +# missing libexec transition on SLE Micro
-+/usr/bin/cockpit-bridge			--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/cockpit-askpass		--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/cockpit-certificate-ensure	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/cockpit-certificate-helper	--	gen_context(system_u:object_r:bin_t,s0)