Accepting request 583006 from security

- Replace old $RPM_* shell vars. (forwarded request 583005 from jengelh)

OBS-URL: https://build.opensuse.org/request/show/583006
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openscap?expand=0&rev=55

openscap.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Mar  5 15:11:19 UTC 2018 - jengelh@inai.de
+
+- Replace old $RPM_* shell vars.
+
+-------------------------------------------------------------------
+Mon Mar  5 12:39:51 UTC 2018 - meissner@suse.com
+
+- replace oscap-scan.init by oscap-scan.service, add a /usr/bin/oscap-scan
+  helper tool for this. (bsc#1083115)
+
 -------------------------------------------------------------------
 Thu Feb 22 13:41:36 UTC 2018 - meissner@suse.com
 

openscap.spec

@@ -28,13 +28,14 @@ Name:           openscap
 Version:        1.2.16
 Release:        1.0
 Source:         https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
-Source1:        oscap-scan.init
 Source2:        sysconfig.oscap-scan
 # SUSE specific profile, based on yast2-security
 # checks.
 # Generated from http://gitorious.org/test-suite/scap
 Source3:        scap-yast2sec-xccdf.xml
 Source4:        scap-yast2sec-oval.xml
+Source5:        oscap-scan.service
+Source6:        oscap-scan.sh
 Url:            http://www.open-scap.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  doxygen
@@ -62,8 +63,9 @@ BuildRequires:  rpm-devel
 BuildRequires:  swig
 BuildRequires:  unixODBC-devel
 Summary:        A Set of Libraries for Integration with SCAP
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          Development/Tools/Other
+BuildRequires:  systemd-rpm-macros
 
 %description
 OpenSCAP is a set of open source libraries providing an easier path for
@@ -142,7 +144,8 @@ The OpenSCAP Perl Library for easy integration with SCAP.
 Summary:        Openscap utilities
 Group:          System/Monitoring
 Requires:       %{name} = %{version}-%{release}
-PreReq:         %insserv_prereq %fillup_prereq
+PreReq:         %fillup_prereq
+%systemd_requires
 
 %description    utils
 The %{name}-utils package contains various utilities based on %{name} library.
@@ -195,17 +198,20 @@ find %{buildroot} -name "*.la" -delete
 # last python2 user in oscap-utils ... needs porting to python3
 rm %{buildroot}/usr/bin/scap-as-rpm
 
-mkdir -p $RPM_BUILD_ROOT%{_fillupdir}
-install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
-install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/oscap-scan
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_fillupdir}
+mkdir -p %{buildroot}/%{_fillupdir}
+install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir}
 
-install -m 644 %{SOURCE3}  $RPM_BUILD_ROOT/%{_datadir}/openscap
-install -m 644 %{SOURCE4}  $RPM_BUILD_ROOT/%{_datadir}/openscap
+install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap
+install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap
+
+# specific local scan during boot script
+mkdir -p %{buildroot}/%{_unitdir}
+install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service
+install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan
 
 # create symlinks to default content
-ln -s  %{_datadir}/openscap/scap-yast2sec-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
-ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
+ln -s  %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml
+ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml
 
 %post -n libopenscap%{sover} -p /sbin/ldconfig
 %post -n libopenscap_sce%{sover} -p /sbin/ldconfig
@@ -214,14 +220,17 @@ ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/
 %postun -n libopenscap_sce%{sover} -p /sbin/ldconfig
 
 %preun utils
-%{stop_on_removal oscap-scan}
+%service_del_preun oscap-scan.service
 
 %post utils
-%{fillup_and_insserv -n oscap-scan}
+%service_add_post oscap-scan.service
+%{fillup_only -n oscap-scan}
 
 %postun utils
-%{restart_on_update oscap-scan}
-%{insserv_cleanup}
+%service_del_postun oscap-scan.service
+
+%pre utils
+%service_add_pre oscap-scan.service
 
 %files
 %defattr(-, root, root)
@@ -300,10 +309,11 @@ ln -s  %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/
 %defattr(-,root,root,-)
 %{_fillupdir}/sysconfig.oscap-scan
 %doc docs/oscap-scan.cron
-%{_initrddir}/oscap-scan
 %{_mandir}/man8/*
+%{_unitdir}/oscap-scan.service
 %{_bindir}/oscap
 %{_bindir}/oscap-vm
+%{_bindir}/oscap-scan
 %{_bindir}/oscap-ssh
 %{_bindir}/oscap-chroot
 # currently not shipped as it is still python2

oscap-scan.init

@@ -1,106 +0,0 @@
-#!/bin/sh
-#
-# oscap-scan:		OpenSCAP security scanner
-#
-# chkconfig: - 96 99
-# description:  This service runs OpenSCAP security scanner to check the \
-#		system settings. The program does not stay resident, \
-#		but rather runs once. The results of security audit are 
-#		stored in /var/log/oscap-scan.xml.log
-#
-# processname: /usr/bin/oscap
-# config: /etc/sysconfig/oscap-scan
-#
-# Return values according to LSB for all commands but status:
-# 0 - success
-# 1 - generic or unspecified error
-# 2 - invalid or excess argument(s)
-# 3 - unimplemented feature (e.g. "reload")
-# 4 - insufficient privilege
-# 5 - program is not installed
-# 6 - program is not configured
-# 7 - program is not running
-### BEGIN INIT INFO
-# Provides: oscap-scan
-# Required-Start: $syslog $local_fs $network $remote_fs
-# Required-Stop: $syslog $local_fs $network $remote_fs
-# Should-Start:
-# Should-Stop:
-# Default-Start:  3 5
-# Default-Stop: 0 1 6
-# Short-Description: OpenSCAP security scanner
-# Description:       This service runs OpenSCAP security scanner to check the
-#	system settings. The program does not stay resident,
-#	but rather runs once. The results of security audit are
-#	stored in /var/log/oscap-scan.xml.log
-### END INIT INFO
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-prog="oscap"
-
-# Source function library.
-. /etc/rc.status
-
-# Allow anyone to run status
-if [ "$1" = "status" ] ; then
-	exit 3
-fi
-
-# Check that we are root ... so non-root users stop here
-test $EUID = 0  ||  exit 4
-
-# Check config
-test -f /etc/sysconfig/oscap-scan && . /etc/sysconfig/oscap-scan
-
-RETVAL=0
-
-start() {
-	test -x /usr/bin/oscap  || exit 5
-	# Now check that the sysconfig is found and has important things
-	# configured
-	test -f /etc/sysconfig/oscap-scan || exit 6
-	test x"$OPTIONS" != "x" || exit 6
-	echo  -n $"Starting $prog: "
-	$prog $OPTIONS
-	rc_status -v
-	ERR=$?
-	if [ $ERR -eq 0 ] ; then
-		sleep 1
-		logger "OpenSCAP security scan: PASS"
-	elif [ $ERR -eq 1 ] ; then
-		sleep 1
-		logger "OpenSCAP security scan: ERROR. Run oscap scan from command line."
-	else
-		sleep 1
-		logger "OpenSCAP security scan: FAILED. See results in /var/log/oscap-scan.xml.log"
-	fi
-}
-
-
-# See how we were called.
-case "$1" in
-    start)
-	start
-	;;
-    restart)
-	start
-	;;
-    stop)
-	RETVAL=0;
-	;;
-    condrestart)
-	RETVAL=0;
-	;;
-    try-restart)
-	RETVAL=0;
-	;;
-    reload)
-	RETVAL=0;
-	;;
-    *)
-	echo $"Usage: $0 {start}"
-	RETVAL=2
-	;;
-esac
-exit $RETVAL
-

oscap-scan.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenSCAP security scanner
+Wants=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/oscap-scan
+ExecStart=/usr/bin/oscap $OPTIONS
+
+[Install]
+WantedBy=multi-user.target

oscap-scan.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+prog="oscap"
+
+# Check config
+test -f /etc/sysconfig/oscap-scan && . /etc/sysconfig/oscap-scan
+
+RETVAL=0
+
+test -f /etc/sysconfig/oscap-scan || exit 6
+
+test x"$OPTIONS" != "x" || exit 6
+
+$prog $OPTIONS
+
+ERR=$?
+if [ $ERR -eq 0 ] ; then
+	logger "OpenSCAP security scan: PASS"
+elif [ $ERR -eq 1 ] ; then
+	logger "OpenSCAP security scan: ERROR. Run oscap scan from command line."
+else
+	logger "OpenSCAP security scan: FAILED. See results in /var/log/oscap-scan.xml.log"
+fi
+
+exit 0