Accepting request 934558 from home:favogt:branches:security

- Use %autosetup - Don't include sample rules as %doc, they're already installed as normal files - Fix create-augenrules-service.patch: * auditd.service needs to require augenrules.service, not the other way around - Fix documentation for enable-stop-rules.patch OBS-URL: https://build.opensuse.org/request/show/934558 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=134
2021-11-30 01:45:17 +00:00 · 2021-11-30 01:45:17 +00:00 · c309536630
commit c309536630
parent 4de8c602d7
4 changed files with 46 additions and 31 deletions
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Mon Nov 29 13:13:56 UTC 2021 - Fabian Vogt <fvogt@suse.com>
 - Use %autosetup
 - Don't include sample rules as %doc, they're already installed
  as normal files
 - Fix create-augenrules-service.patch:
  * auditd.service needs to require augenrules.service,
    not the other way around
 - Fix documentation for enable-stop-rules.patch
 -------------------------------------------------------------------
 Sun Nov  7 13:34:20 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -125,18 +125,7 @@ audit dispatcher (audispd).
 rm -rf audisp/plugins/zos-remote/policy
 # we don't build prelude
 rm -rf audisp/plugins/prelude
-%setup -q -n %{_name}-%{version}
+%autosetup -p1 -n %{_name}-%{version}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
@ -252,7 +241,7 @@ fi
 %files -n audit
 %license COPYING
-%doc README ChangeLog rules init.d/auditd.cron
+%doc README ChangeLog init.d/auditd.cron
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
--- a/create-augenrules-service.patch
+++ b/create-augenrules-service.patch
@ -1,10 +1,11 @@
 Index: audit-3.0.6/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ b/init.d/augenrules.service
+++ audit-3.0.6/init.d/augenrules.service
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
 +After=auditd.service
 +PartOf=auditd.service
 +Documentation=man:augenrules(8)
 +
 +[Service]
@ -31,12 +32,19 @@
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-+
+Index: audit-3.0.6/init.d/auditd.service
-+[Install]
+===================================================================
-+WantedBy=multi-user.target
+--- audit-3.0.6.orig/init.d/auditd.service
--- a/init.d/auditd.service
+++ audit-3.0.6/init.d/auditd.service
-+++ b/init.d/auditd.service
+@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
-@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith
+ Conflicts=shutdown.target
 ConditionKernelCommandLine=!audit=0
 Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
 +Requires=augenrules.service
 +# This unit clears rules on stop, so make sure that augenrules runs again
 +PropagatesStopTo=augenrules.service
 [Service]
 Type=forking
 PIDFile=/run/auditd.pid
 ExecStart=/sbin/auditd
@ -45,11 +53,11 @@
 -## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
 -ExecStartPost=-/sbin/augenrules --load
 +## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
-+## uncomment the next line, and run "systemctl disable --now augenrules.service".
+## uncomment the next line, and comment the Requires=augenrules.service above.
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
- # By default we don't clear the rules on exit. To enable this, uncomment
+ # By default we clear the rules on exit. To disable this, comment
 # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -42,7 +40,6 @@ ProtectClock=true
+@@ -45,7 +46,6 @@ ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelLogs=true
 # end of automatic additions 
@ -57,8 +65,10 @@
 [Install]
 WantedBy=multi-user.target
--- a/init.d/Makefile.am
+Index: audit-3.0.6/init.d/Makefile.am
-+++ b/init.d/Makefile.am
+===================================================================
 --- audit-3.0.6.orig/init.d/Makefile.am
 +++ audit-3.0.6/init.d/Makefile.am
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
 	auditd.cron libaudit.conf auditd.condrestart \
 	auditd.reload auditd.restart auditd.resume \
--- a/enable-stop-rules.patch
+++ b/enable-stop-rules.patch
@ -11,11 +11,16 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+Index: audit-3.0.6/init.d/auditd.service
-+++ b/init.d/auditd.service
+===================================================================
-@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
+--- audit-3.0.6.orig/init.d/auditd.service
 +++ audit-3.0.6/init.d/auditd.service
@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
 ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
 ExecStartPost=-/sbin/augenrules --load
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
- # By default we don't clear the rules on exit. To enable this, uncomment
+-# By default we don't clear the rules on exit. To enable this, uncomment
 +# By default we clear the rules on exit. To disable this, comment
 # the next line after copying the file to /etc/systemd/system/auditd.service
 -#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
 +ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules