Accepting request 231797 from security

- Add a new subpackage to install systemd drop-ins that couple SuSEfirewall2 and fail2ban. (forwarded request 230864 from jengelh) OBS-URL: https://build.opensuse.org/request/show/231797 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=32
2014-05-02 11:55:17 +00:00 · 2014-05-02 11:55:17 +00:00 · 210a71f8fb
commit 210a71f8fb
parent b17e75956e 833b3f3a02
4 changed files with 63 additions and 10 deletions
--- a/f2b-restart.conf
+++ b/f2b-restart.conf
@ -0,0 +1,5 @@
+# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
+# restarted, which is what this drop-in file does.
+
+[Unit]
+PartOf=SuSEfirewall2.service
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de
+
+- Add a new subpackage to install systemd drop-ins that couple
+  SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
+  f2b-restart.conf.
+
 -------------------------------------------------------------------
 Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -20,11 +20,10 @@ Name:           fail2ban
 Version:        0.8.12
 Release:        0
 Url:            http://www.fail2ban.org/
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildArch:      noarch
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
+
 Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
 %if 0%{?suse_version} < 1230
 # the init-script requires lsof
@ -33,12 +32,20 @@ Source1:        %{name}.init
 %endif
 Source2:        %{name}.sysconfig
 Source3:        %{name}.logrotate
-%if 0%{?suse_version} >= 1230
 Source4:        %{name}.service
 Source5:        %{name}.tmpfiles
-%endif
+Source6:        sfw-fail2ban.conf
+Source7:        f2b-restart.conf
 # PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816
 Patch0:         fix-for-upstream-firewallcmd-ipset.conf.patch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildArch:      noarch
+%if 0%{?suse_version} >= 1230
+%{?systemd_requires}
+BuildRequires:  systemd
+%endif
+BuildRequires:  logrotate
+BuildRequires:  python-devel
 Requires:       cron
 Requires:       iptables
 Requires:       logrotate
@ -49,12 +56,6 @@ Requires:       python-pyinotify
 %if 0%{?suse_version} >= 1220
 Requires:       python-gamin
 %endif
-%if 0%{?suse_version} >= 1230
-%{?systemd_requires}
-BuildRequires:  systemd
-%endif
-BuildRequires:  logrotate
-BuildRequires:  python-devel

 %description
 Fail2ban scans log files like /var/log/messages and bans IP addresses
@ -63,6 +64,18 @@ reject the IP address, can send e-mails, or set host.deny entries.
 These rules can be defined by the user. Fail2Ban can read multiple log
 files such as sshd or Apache web server ones.

+%package -n SuSEfirewall2-fail2ban
+Summary:        systemd files for integrating fail2ban into SuSEfirewall2
+Group:          Productivity/Networking/Security
+BuildArch:      noarch
+Requires:       SuSEfirewall2
+Requires:       fail2ban
+
+%description -n SuSEfirewall2-fail2ban
+This package ships systemd files which will cause fail2ban to be ordered
+in relation to SuSEfirewall2 such that the two can be run concurrently
+within reason, i.e. SFW will always run first because it does a table flush.
+
 %prep
 %setup
 %patch0 -p1
@ -101,6 +114,12 @@ install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service
 install -d -m755 $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/
 install -m644 %{SOURCE5} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/%{name}.conf
 %endif
+%if "%_unitdir" != ""
+install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \
+	"%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf"
+install -Dm0644 "%_sourcedir/f2b-restart.conf" \
+	"%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf"
+%endif

 %pre
 %if 0%{?suse_version} >= 1230
@ -129,6 +148,14 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
 %insserv_cleanup
 %endif

+%if "%_unitdir" != ""
+%post -n SuSEfirewall2-fail2ban
+%_bindir/systemctl daemon-reload >/dev/null 2>&1 || :
+
+%postun -n SuSEfirewall2-fail2ban
+%_bindir/systemctl daemon-reload >/dev/null 2>&1 || :
+%endif
+
 %files
 %defattr(-, root, root)
 %dir %{_sysconfdir}/%{name}
@ -152,4 +179,11 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
 %doc %{_mandir}/man1/*
 %doc COPYING ChangeLog DEVELOP README.md TODO files/cacti

+%if "%{?_unitdir}" != ""
+%files -n SuSEfirewall2-fail2ban
+%defattr(-,root,root)
+%_unitdir/SuSEfirewall2.service.d
+%_unitdir/fail2ban.service.d
+%endif
+
 %changelog
--- a/sfw-fail2ban.conf
+++ b/sfw-fail2ban.conf
@ -0,0 +1,7 @@
+# This drop-in file extends SuSEfirewall2.service to also start
+# fail2ban.service, and to make sure that fail2ban is only (re)started after
+# SFW has completed.
+
+[Unit]
+Wants=fail2ban.service
+Before=fail2ban.service