Accepting request 1288744 from security

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1288744
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=75

fail2ban-0.10.4-env-script-interpreter.patch

@@ -1,6 +1,7 @@
-diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
---- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
-+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+Index: fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
+===================================================================
+--- fail2ban-1.1.0.orig/config/filter.d/ignorecommands/apache-fakegooglebot
++++ fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env fail2ban-python
 +#!/usr/bin/fail2ban-python

fail2ban-fix-openssh98.patch

@@ -1,7 +1,7 @@
-Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+Index: fail2ban-1.1.0/config/filter.d/sshd.conf
 ===================================================================
---- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
-+++ fail2ban-1.0.2/config/filter.d/sshd.conf
+--- fail2ban-1.1.0.orig/config/filter.d/sshd.conf
++++ fail2ban-1.1.0/config/filter.d/sshd.conf
 @@ -16,7 +16,7 @@ before = common.conf
  
  [DEFAULT]

fail2ban-opensuse-locations.patch

@@ -1,8 +1,8 @@
-Index: fail2ban-1.0.1/config/jail.conf
+Index: fail2ban-1.1.0/config/jail.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/jail.conf
-+++ fail2ban-1.0.1/config/jail.conf
-@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+--- fail2ban-1.1.0.orig/config/jail.conf
++++ fail2ban-1.1.0/config/jail.conf
+@@ -735,7 +735,7 @@ backend = %(syslog_backend)s
  # filter   = named-refused
  # port     = domain,953
  # protocol = udp
@@ -11,7 +11,7 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  # This jail blocks TCP traffic for DNS requests.
-@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+@@ -743,7 +743,7 @@ backend = %(syslog_backend)s
  [named-refused]
  
  port     = domain,953
@@ -20,10 +20,10 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  
  [nsd]
-Index: fail2ban-1.0.1/config/paths-common.conf
+Index: fail2ban-1.1.0/config/paths-common.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/paths-common.conf
-+++ fail2ban-1.0.1/config/paths-common.conf
+--- fail2ban-1.1.0.orig/config/paths-common.conf
++++ fail2ban-1.1.0/config/paths-common.conf
 @@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
  mysql_log = %(syslog_daemon)s
  mysql_backend = %(default_backend)s

fail2ban.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Jun 19 19:00:38 UTC 2025 - chris@computersalat.de
+
+- fix build
+  * service file install
+- some rpmlint fixes
+- Add fail2ban_service.patch
+- rebase patches
+  * fail2ban-0.10.4-env-script-interpreter.patch
+  * fail2ban-fix-openssh98.patch
+  * fail2ban-opensuse-locations.patch
+  * harden_fail2ban.service.patch
+
 -------------------------------------------------------------------
 Mon Jun 16 22:37:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 

fail2ban.spec

@@ -42,6 +42,8 @@ Source200:      fail2ban.keyring
 Patch100:       %{name}-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
 Patch201:       %{name}-0.10.4-env-script-interpreter.patch
+# PATCH-FEATURE-OPENSUSE fail2ban_service.patch chris@computersalat.de -- Add [Service] EnvironmentFile
+Patch300:       %{name}_service.patch
 # PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
 Patch301:       harden_fail2ban.service.patch
 # PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
@@ -72,8 +74,8 @@ Requires:       systemd > 204
 %{?systemd_requires}
 Requires:       python3-pyinotify >= 0.8.3
 %if 0%{?suse_version} < 1600
-Obsoletes:      SuSEfirewall2-%{name}
-Provides:       SuSEfirewall2-%{name}
+Provides:       SuSEfirewall2-%{name} = %{version}
+Obsoletes:      SuSEfirewall2-%{name} < %{version}
 %endif
 
 %description
@@ -114,6 +116,7 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
 
 %patch -P 100 -p1
 %patch -P 201 -p1
+%patch -P 300 -p1
 %patch -P 301 -p1
 %patch -P 302 -p1
 %patch -P 303 -p1
@@ -129,7 +132,7 @@ sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
 
 %build
 export CFLAGS="%{optflags}"
-export SERVICE_BINDIR="/usr/bin"
+export SERVICE_BINDIR="%{_bindir}"
 %pyproject_wheel
 gzip man/*.{1,5}
 
@@ -138,8 +141,8 @@ gzip man/*.{1,5}
 %python_expand %fdupes %{buildroot}%{python3_sitelib}
 
 install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
-install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
-install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+install -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
 
 install -d -m 755 %{buildroot}%{_initddir}
 install -d -m 755 %{buildroot}%{_sbindir}
@@ -149,13 +152,12 @@ install -d -m 755 %{buildroot}/run
 touch %{buildroot}/run/%{name}
 
 # systemd
-install -d -m 755 %{buildroot}%{_unitdir}
-cp -av build/fail2ban.service "%{buildroot}/%{_unitdir}/%{name}.service"
-
-install -d -m 755 %{buildroot}%{_tmpfilesdir}
-install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-
-ln -sf service %{buildroot}%{_sbindir}/rc%{name}
+if [[ ! -f build/fail2ban.service ]]; then
+  sed -e "s|@BINDIR@|%{_bindir}|g" files/fail2ban.service.in > build/fail2ban.service
+fi
+install -D -m 644 build/fail2ban.service "%{buildroot}/%{_unitdir}/%{name}.service"
+install -D -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 
 install -d -m 755 %{buildroot}%{_sysconfdir}
 mv %{buildroot}%{python3_sitelib}%{_sysconfdir}/%{name} %{buildroot}%{_sysconfdir}
@@ -168,11 +170,9 @@ echo "# Do all your modifications to the jail's configuration in jail.local!" >
 
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
 
-install -d -m 755 %{buildroot}%{_fillupdir}
-install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
+install -D -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 
-install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+install -D -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 
 %if 0%{?suse_version} < 1600
 perl -i -lpe 's{(After|PartOf)=(.*)}{$1=$2 SuSEfirewall2.service}' \

fail2ban_service.patch

@@ -0,0 +1,16 @@
+Index: fail2ban-1.1.0/files/fail2ban.service.in
+===================================================================
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
++++ fail2ban-1.1.0/files/fail2ban.service.in
+@@ -6,9 +6,10 @@ PartOf=iptables.service firewalld.servic
+ 
+ [Service]
+ Type=simple
++EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
++ExecStart=@BINDIR@/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+ # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+ ExecStop=@BINDIR@/fail2ban-client stop

harden_fail2ban.service.patch

@@ -23,5 +23,5 @@ Index: fail2ban-1.1.0/files/fail2ban.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Type=simple
+ EnvironmentFile=-/etc/sysconfig/fail2ban
  Environment="PYTHONNOUSERSITE=1"
- ExecStartPre=/bin/mkdir -p /run/fail2ban