diff --git a/chrony.changes b/chrony.changes index 2f69890..6c12cb9 100644 --- a/chrony.changes +++ b/chrony.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Oct 8 14:52:41 UTC 2021 - Reinhard Max + +- boo#1190926: PrivateDevices is too strict, we might need to + access the rtc and ptp devices. +- Add back support to build chrony on SLE12. +- Drop dependency on asciidoctor. It is only needed for building + the HTML documentation which we don't package anyway. + ------------------------------------------------------------------- Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz diff --git a/chrony.spec b/chrony.spec index 4c6f632..7e89201 100644 --- a/chrony.spec +++ b/chrony.spec @@ -16,10 +16,20 @@ # +%if 0%{?suse_version} < 1500 +# As of 2021 we still need to be able to build this on SLE12 +%bcond_with pools +%bcond_with sysusers +%bcond_with pps +%else +%bcond_without pools +%bcond_without sysusers +%bcond_without pps +%endif + %bcond_without testsuite %define _systemdutildir %(pkg-config --variable systemdutildir systemd) -#global clknetsim_ver 79ffe44 %global clknetsim_ver f89702d #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} @@ -59,23 +69,31 @@ Patch5: harden_chrony-wait.service.patch Patch6: harden_chronyd.service.patch BuildRequires: NetworkManager-devel BuildRequires: bison +BuildRequires: findutils BuildRequires: gcc-c++ BuildRequires: gnutls-devel BuildRequires: libcap-devel BuildRequires: libedit-devel BuildRequires: pkgconfig +%if %{with pps} BuildRequires: pps-tools-devel +%endif # The timezone package is needed for the "make check" tests. It can be # removed if the call to make check is ever deleted. BuildRequires: sysuser-tools BuildRequires: timezone BuildRequires: pkgconfig(systemd) -BuildRequires: rubygem(asciidoctor) Recommends: logrotate Requires(post): %fillup_prereq +%if %{with sysusers} %sysusers_requires +%else +Requires(pre): %{_sbindir}/useradd +%endif +%if %{with pools} Requires: %name-pool Recommends: %name-pool-nonempty +%endif Provides: ntp-daemon %ifarch s390 s390x ppc64le BuildRequires: libseccomp-devel >= 2.2.0 @@ -105,6 +123,7 @@ performance and configuring various settings. It can do so while running on the same computer as the chronyd instance it is controlling or a different computer. +%if %{with pools} %package pool-suse Summary: Chrony preconfiguration for SUSE Group: Productivity/Networking/Other @@ -149,16 +168,17 @@ This package provides an empty /etc/chrony.d/pool.conf file for situations when having servers preconfigured in chrony is undesirable, e.g. because the servers will be set via DHCP. +%endif + %prep %setup -q -a 10 -sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5} %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 %patch4 %patch5 -p1 -%patch6 -p1 +%patch6 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . @@ -190,8 +210,16 @@ export LDFLAGS="-pie -Wl,-z,relro,-z,now" --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-sendmail=%{_sbindir}/sendmail \ --enable-ntp-signd -make %{?_smp_mflags} all docs +make %{?_smp_mflags} all +%if %{with sysusers} %sysusers_generate_pre %{SOURCE14} chrony system-user-chrony.conf +%else +cat > chrony.pre </dev/null 2>&1 || : +%{_sbindir}/useradd -g chrony -s /bin/false -r -c "Chrony Daemon" \ + -d "%{_localstatedir}/lib/chrony" chrony >/dev/null 2>&1 || : +EOF +%endif %install %make_install @@ -232,13 +260,17 @@ install -Dpm 755 %{SOURCE4} %{buildroot}%{chrony_helper} install -d %{buildroot}%{_localstatedir}/log/chrony touch %{buildroot}%{_localstatedir}/lib/chrony/{drift,rtc} +%if %{with pools} # Install the NTP pool files install -Dpm 644 %{SOURCE12} %{SOURCE13} %{buildroot}/etc/chrony.d -touch %{buildroot}/etc/chrony.d/pool.conf.empty +echo '# Add ntp pools here' > %{buildroot}/etc/chrony.d/pool.conf.empty +%endif mkdir -p %{buildroot}%{_sysusersdir} install -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/ +find %{buildroot} -type f | xargs sed -i 's-@CHRONY_HELPER@-%{chrony_helper}-g' + %if %{with testsuite} %ifnarch %ix86 %check @@ -265,7 +297,12 @@ make %{?_smp_mflags} check %service_del_postun chronyd.service chrony-wait.service %files +%defattr(-,root,root) +%if 0%{?suse_version} >= 1500 %license COPYING +%else +%doc COPYING +%endif %doc FAQ NEWS README %doc examples %config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/chrony.conf @@ -295,13 +332,15 @@ make %{?_smp_mflags} check %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %ghost %attr(0750, %{name}, %{name}) %{_rundir}/%{name} +%if %{with pools} %files pool-empty -%config (noreplace) /etc/chrony.d/pool.conf.empty +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.empty %files pool-suse -%config (noreplace) /etc/chrony.d/pool.conf.suse +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.suse %files pool-openSUSE -%config (noreplace) /etc/chrony.d/pool.conf.opensuse +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.opensuse +%endif %changelog diff --git a/harden_chronyd.service.patch b/harden_chronyd.service.patch index c026810..fc606be 100644 --- a/harden_chronyd.service.patch +++ b/harden_chronyd.service.patch @@ -1,19 +1,17 @@ -Index: chrony-4.1/examples/chronyd.service -=================================================================== ---- chrony-4.1.orig/examples/chronyd.service -+++ chrony-4.1/examples/chronyd.service -@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS +--- examples/chronyd.service.orig ++++ examples/chronyd.service +@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae PrivateTmp=yes ProtectHome=yes ProtectSystem=full +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+PrivateDevices=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +DeviceAllow=char-rtc ++DeviceAllow=char-ptp +# end of automatic additions [Install]