Accepting request 722640 from home:weberho:branches:security

- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpreter - removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2 will be removed from Factory (see sr#713247): * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for older distributions * Removed installation recommendation of the SuSEfirewall2-fail2ban package for all distributions as it is deprecated. - fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file location (boo#1145181, gh#fail2ban/fail2ban#2474) OBS-URL: https://build.opensuse.org/request/show/722640 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=96
2019-08-12 10:37:17 +00:00 · 2019-08-12 10:37:17 +00:00 · 2ecebbda26
commit 2ecebbda26
parent 1080a2c48e
6 changed files with 87 additions and 21 deletions
--- a/fail2ban-0.10.4-env-script-interpreter.patch
+++ b/fail2ban-0.10.4-env-script-interpreter.patch
@ -0,0 +1,9 @@
+diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
+--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env fail2ban-python
+#!/usr/bin/python
+ # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
+ #
+ # Written in Python to reuse built-in Python batteries and not depend on
--- a/fail2ban-0.10.4-upstream-pid-file-location.patch
+++ b/fail2ban-0.10.4-upstream-pid-file-location.patch
@ -0,0 +1,19 @@
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:18:27.754395688 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:18:49.150908423 +0200
+@@ -7,13 +7,13 @@
+ [Service]
+ Type=simple
+ EnvironmentFile=-/etc/sysconfig/fail2ban
+-ExecStartPre=/bin/mkdir -p /var/run/fail2ban
+ExecStartPre=/bin/mkdir -p /run/fail2ban
+ ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+ # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+ ExecStop=/usr/bin/fail2ban-client stop
+ ExecReload=/usr/bin/fail2ban-client reload
+-PIDFile=/var/run/fail2ban/fail2ban.pid
+PIDFile=/run/fail2ban/fail2ban.pid
+ Restart=on-failure
+ RestartPreventExitStatus=0 255
+ 
--- a/fail2ban-opensuse-service-sfw.patch
+++ b/fail2ban-opensuse-service-sfw.patch
@ -0,0 +1,14 @@
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+ 
+ [Service]
+ Type=simple
--- a/fail2ban-opensuse-service.patch
+++ b/fail2ban-opensuse-service.patch
@ -1,15 +1,7 @@
-Index: files/fail2ban.service.in
-===================================================================
--- files/fail2ban.service.in.orig
-+++ files/fail2ban.service.in
-@@ -1,17 +1,18 @@
- [Unit]
- Description=Fail2Ban Service
- Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
-+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
-+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2018-10-04 11:26:22.000000000 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:17:34.929129813 +0200
+@@ -6,12 +6,13 @@
 
 [Service]
 Type=simple
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor
+- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2 
+  will be removed from Factory (see sr#713247):
+  * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
+  * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
+    older distributions
+  * Removed installation recommendation of the fail2ban-SuSEfirewall2
+    package for all distributions as it is deprecated.
+- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file 
+  location (boo#1145181, gh#fail2ban/fail2ban#2474)
+
 -------------------------------------------------------------------
 Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -16,19 +16,18 @@
 #


+%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
-
-%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
 Name:           fail2ban
 Version:        0.10.4
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://www.fail2ban.org/
+URL:            http://www.fail2ban.org/
 Source0:        https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz
 Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 Source2:        %{name}.sysconfig
@ -46,6 +45,12 @@ Patch100:       %{name}-opensuse-locations.patch
 Patch101:       %{name}-opensuse-service.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       %{name}-disable-iptables-w-option.patch
+# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
+Patch201:       %{name}-0.10.4-env-script-interpreter.patch
+# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberhofer@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474)
+Patch202:       %{name}-0.10.4-upstream-pid-file-location.patch
+# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
+Patch300:       fail2ban-opensuse-service-sfw.patch
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  python-devel
@ -57,7 +62,6 @@ Requires:       iptables
 Requires:       logrotate
 Requires:       python >= 2.6
 Requires:       whois
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} != 1110
 BuildArch:      noarch
 %endif
@ -88,17 +92,18 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.

+%if !0%{?suse_version} > 1500
 %package -n SuSEfirewall2-%{name}
 Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
 Requires:       SuSEfirewall2
 Requires:       fail2ban
-Recommends:     packageand(SuSEfirewall2:fail2ban)

 %description -n SuSEfirewall2-%{name}
 This package ships systemd files which will cause fail2ban to be ordered in
 relation to SuSEfirewall2 such that the two can be run concurrently within
 reason, i.e. SFW will always run first because it does a table flush.
+%endif

 %package -n monitoring-plugins-%{name}
 %define         nagios_plugindir %{_libexecdir}/nagios/plugins
@ -128,10 +133,15 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
 sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py

 %patch100
-%patch101
+%patch101 -p1
 %if 0%{?suse_version} < 1310
 %patch200 -p1
 %endif
+%patch201 -p1
+%patch202 -p1
+%if !0%{?suse_version} > 1500
+%patch300 -p1
+%endif

 rm 	config/paths-arch.conf \
 	config/paths-debian.conf \
@ -200,12 +210,14 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}

+%if !0%{?suse_version} > 1500
 %if 0%{?_unitdir:1}
 install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
 	"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
 install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
 	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
 %endif
+%endif
 install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}

 # install docs using the macro
@ -253,6 +265,7 @@ export LANG=en_US.UTF-8
 %insserv_cleanup
 %endif

+%if !0%{?suse_version} > 1500
 %if 0%{?_unitdir:1}
 %post -n SuSEfirewall2-%{name}
 %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
@ -260,6 +273,7 @@ export LANG=en_US.UTF-8
 %postun -n SuSEfirewall2-%{name}
 %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
 %endif
+%endif

 %files
 %defattr(-, root, root)
@ -307,22 +321,26 @@ export LANG=en_US.UTF-8
 %{_fillupdir}/sysconfig.%{name}
 %{_mandir}/man1/*
 %{_mandir}/man5/*
-%doc README.md TODO ChangeLog COPYING doc/*.txt
+%license COPYING
+%doc README.md TODO ChangeLog doc/*.txt

 # do not include tests as they are executed during the build process
 %exclude %{_bindir}/%{name}-testcases
 %exclude %{python_sitelib}/%{name}/tests

+%if !0%{?suse_version} > 1500
 %if 0%{?_unitdir:1}
 %files -n SuSEfirewall2-%{name}
 %defattr(-,root,root)
 %{_unitdir}/SuSEfirewall2.service.d
 %{_unitdir}/%{name}.service.d
 %endif
+%endif

 %files -n monitoring-plugins-%{name}
 %defattr(-,root,root)
-%doc files/nagios/README COPYING
+%license COPYING
+%doc files/nagios/README
 %dir %{_libexecdir}/nagios
 %dir %{nagios_plugindir}
 %{nagios_plugindir}/check_%{name}