From 7212aea48df54dde03ba1de60287e85c5c1591153b8d7de5ea5f4cbe5584ddb3 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Mon, 4 Mar 2024 13:32:21 +0000 Subject: [PATCH 1/3] Accepting request 1153493 from home:cahu:branches:systemsmanagement:cockpit - Remove SELinux file context for /usr/bin/cockpit-bridge, this is already defined in the main selinux-policy package (bsc#1220385). OBS-URL: https://build.opensuse.org/request/show/1153493 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit?expand=0&rev=164 --- cockpit.changes | 6 ++++++ selinux_libdir.patch | 7 +++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/cockpit.changes b/cockpit.changes index e24610f..b2dce6d 100644 --- a/cockpit.changes +++ b/cockpit.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu + +- Remove SELinux file context for /usr/bin/cockpit-bridge, this + is already defined in the main selinux-policy package (bsc#1220385). + ------------------------------------------------------------------- Thu Feb 15 12:21:55 UTC 2024 - Adam Majer diff --git a/selinux_libdir.patch b/selinux_libdir.patch index 426a11c..a082010 100644 --- a/selinux_libdir.patch +++ b/selinux_libdir.patch @@ -1,6 +1,6 @@ ---- selinux_bak/cockpit.fc 2023-09-11 15:16:38.603758530 +0200 -+++ selinux/cockpit.fc 2023-09-12 09:03:09.539025240 +0200 -@@ -2,11 +2,25 @@ +--- selinux_bak/cockpit.fc 2024-02-28 13:34:16.748028079 +0100 ++++ selinux/cockpit.fc 2024-02-28 13:35:10.425549063 +0100 +@@ -2,11 +2,24 @@ /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) /usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) @@ -11,7 +11,6 @@ +/usr/lib/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +# missing libexec transition on SLE Micro -+/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-askpass -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-certificate-ensure -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cockpit-certificate-helper -- gen_context(system_u:object_r:bin_t,s0) From 30d7523ce5a739f4160831ff9dec5320c13fb037c66f7642ddec57a923edf960 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Mon, 4 Mar 2024 13:33:34 +0000 Subject: [PATCH 2/3] - cockpit.pam: respect /etc/cockpit/disallowed-users This means by default root cannot login with password to cockpit (bsc#1216080) - Remove SELinux file context for /usr/bin/cockpit-bridge, this is already defined in the main selinux-policy package (bsc#1220385). Modified selinux_libdir.patch OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit?expand=0&rev=165 --- cockpit.changes | 8 ++++++++ cockpit.pam | 2 ++ 2 files changed, 10 insertions(+) diff --git a/cockpit.changes b/cockpit.changes index b2dce6d..c423d84 100644 --- a/cockpit.changes +++ b/cockpit.changes @@ -1,8 +1,16 @@ +------------------------------------------------------------------- +Mon Mar 4 13:24:23 UTC 2024 - Adam Majer + +- cockpit.pam: respect /etc/cockpit/disallowed-users + This means by default root cannot login with password to cockpit + (bsc#1216080) + ------------------------------------------------------------------- Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu - Remove SELinux file context for /usr/bin/cockpit-bridge, this is already defined in the main selinux-policy package (bsc#1220385). + Modified selinux_libdir.patch ------------------------------------------------------------------- Thu Feb 15 12:21:55 UTC 2024 - Adam Majer diff --git a/cockpit.pam b/cockpit.pam index 9cbc8ed..376d79f 100644 --- a/cockpit.pam +++ b/cockpit.pam @@ -1,5 +1,7 @@ #%PAM-1.0 auth substack common-auth +# List of users to deny access to Cockpit, by default root is included. +auth required pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed account required pam_nologin.so account include common-account password include common-password From 9628aab491df979fb7fa1dd84ef5f2081e9cbcabff58bc44fce25fe132f0c5e1 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Mon, 4 Mar 2024 14:56:57 +0000 Subject: [PATCH 3/3] Accepting request 1151135 from home:dimstar:rpm4.20:c Prepare for RPM 4.20 OBS-URL: https://build.opensuse.org/request/show/1151135 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit?expand=0&rev=166 --- cockpit.changes | 5 +++++ cockpit.spec | 18 +++++++++--------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/cockpit.changes b/cockpit.changes index c423d84..16789ee 100644 --- a/cockpit.changes +++ b/cockpit.changes @@ -12,6 +12,11 @@ Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu is already defined in the main selinux-policy package (bsc#1220385). Modified selinux_libdir.patch +------------------------------------------------------------------- +Mon Feb 26 10:52:55 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + ------------------------------------------------------------------- Thu Feb 15 12:21:55 UTC 2024 - Adam Majer diff --git a/cockpit.spec b/cockpit.spec index 43102e7..383e07e 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -242,24 +242,24 @@ BuildRequires: python3-tox-current-env %prep %setup -q -n cockpit-%{version} -a 3 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 # SLE Micro specific patches %if 0%{?is_smo} -%patch101 -p1 +%patch -P 101 -p1 # Patches for versions lower then SLE Micro 5.5 %if 0%{?sle_version} < 150500 -%patch102 -p1 +%patch -P 102 -p1 %endif %endif # For anything based on SLES 15 codebase (including Leap, SLEM) %if 0%{?suse_version} == 1500 -%patch103 -p1 -%patch104 -p0 +%patch -P 103 -p1 +%patch -P 104 -p0 %endif cp %SOURCE1 tools/cockpit.pam