From 6527bf30c2a825241f3659d37155263c73aa6cf9 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Dec 08 2021 10:40:07 +0000 Subject: [PATCH 1/5] Drop support for EL6 --- diff --git a/nrpe.spec b/nrpe.spec index 1e5f0e8..b30de39 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -27,7 +27,6 @@ Source0: https://github.com/NagiosEnterprises/nrpe/archive/%{name}-%{version}.ta Source1: nrpe.sysconfig Source2: nrpe-tmpfiles.conf Source3: nrpe.README.SELinux.rst -Source4: nrpe_epel6.te Source5: nrpe_epel7.te Source6: nrpe_epel.fc Source7: nrpe.service.epel @@ -41,9 +40,7 @@ BuildRequires: autoconf, automake, libtool BuildRequires: gcc BuildRequires: openssl, openssl-devel BuildRequires: checkpolicy, selinux-policy-devel -%if 0%{?fedora} > 17 || 0%{?rhel} > 6 BuildRequires: systemd-units -%endif %if 0%{?fedora} < 28 && 0%{?rhel} < 8 BuildRequires: tcp_wrappers-devel @@ -51,16 +48,9 @@ BuildRequires: tcp_wrappers-devel Requires(pre): %{_sbindir}/useradd, %{_sbindir}/usermod -%if 0%{?el6} -Requires(preun): /sbin/service, /sbin/chkconfig -Requires(post): /sbin/chkconfig, /sbin/service -Requires(postun): /sbin/service -Requires: initscripts -%else Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%endif # owns /etc/nagios Requires: nagios-common @@ -134,26 +124,16 @@ make %{?_smp_mflags} all ## SELinux configs mkdir selinux install -pm 644 %{SOURCE3} README.SELinux.rst -%if 0%{?rhel} < 7 -cp -p %{SOURCE4} selinux/%{name}_epel.te -%else cp -p %{SOURCE5} selinux/%{name}_epel.te -%endif cp -p %{SOURCE6} selinux/%{name}_epel.fc touch selinux/%{name}_epel.if make -f %{_datadir}/selinux/devel/Makefile %endif %install -rm -rf %{buildroot} -%if 0%{?el6}%{?el7} -## If we are EL6 we want the old style sysV init script -%if 0%{?el6} -install -D -p -m 0755 startup/default-init %{buildroot}/%{_initrddir}/nrpe -%else +%if 0%{?el7} ## If we are EL7 we want the home crafted systemd service due to problems install -D -m 0644 -p %{SOURCE7} %{buildroot}%{_unitdir}/%{name}.service -%endif %else ## If we are Fedora we want the upstream systemd service file install -D -m 0644 -p startup/default-service %{buildroot}%{_unitdir}/%{name}.service @@ -164,9 +144,7 @@ install -D -p -m 0755 src/check_nrpe %{buildroot}/%{_libdir}/nagios/plugins/chec install -D -p -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/sysconfig/%{name} install -d %{buildroot}%{_sysconfdir}/nrpe.d install -d %{buildroot}%{_localstatedir}/run/%{name} -%if 0%{?fedora} > 14 || 0%{?rhel} > 6 install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf -%endif %if 0%{?rhel} >5 # Selinux configs install -p -m 644 -D %{name}_epel.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/%{name}_epel.pp @@ -179,64 +157,31 @@ getent passwd %{name} >/dev/null || \ getent group nagios >/dev/null && %{_sbindir}/usermod -a -G nagios %{name} || : %preun -%if 0%{?el6} -if [ $1 = 0 ]; then - /sbin/service %{name} stop > /dev/null 2>&1 || : - /sbin/chkconfig --del %{name} || : -fi -%else %systemd_preun nrpe.service -%endif %post -%if 0%{?el6} -/sbin/chkconfig --add %{name} || : -%else %systemd_post nrpe.service -%endif %postun -%if 0%{?el6} -if [ "$1" -ge "1" ]; then - /sbin/service %{name} condrestart > /dev/null 2>&1 || : -fi -%else %systemd_postun_with_restart nrpe.service -%endif %if 0%{?rhel} >5 %post selinux -%if 0%{?el6} -if [ "$1" -le "1" ]; then # Fist install - semodule -i %{_datadir}/selinux/packages/%{name}/%{name}_epel.pp 2>/dev/null || : - fixfiles -R %{name} restore || : - /sbin/service %{name} condrestart > /dev/null 2>&1 || : -fi -%else if [ "$1" -le "1" ]; then # Fist install semodule -i %{_datadir}/selinux/packages/%{name}/%{name}_epel.pp 2>/dev/null || : fixfiles -R %{name} restore || : %systemd_postun_with_restart %{name}.service fi %endif -%endif %if 0%{?rhel} >5 %preun selinux -%if 0%{?el6} -if [ "$1" -lt "1" ]; then # Final removal - semodule -r %{name}_epel 2>/dev/null || : - fixfiles -R %{name} restore || : - /sbin/service %{name} condrestart > /dev/null 2>&1 || : -fi -%else if [ "$1" -lt "1" ]; then # Final removal semodule -r %{name}_epel 2>/dev/null || : fixfiles -R %{name} restore || : %systemd_postun_with_restart %{name}.service fi %endif -%endif %if 0%{?rhel} >5 %postun selinux @@ -248,18 +193,12 @@ fi %endif %files -%if 0%{?el6} -%{_initrddir}/nrpe -%else %{_unitdir}/%{name}.service -%endif %{_sbindir}/nrpe %dir %{_sysconfdir}/nrpe.d %config(noreplace) %{_sysconfdir}/nagios/nrpe.cfg %config(noreplace) %{_sysconfdir}/sysconfig/%{name} -%if 0%{?fedora} > 14 || 0%{?rhel} > 6 %config(noreplace) %{_tmpfilesdir}/%{name}.conf -%endif %doc CHANGELOG.md LICENSE.md LEGAL README.md README.SSL.md SECURITY.md docs/NRPE.pdf %dir %attr(775, %{name}, %{name}) %{_localstatedir}/run/%{name} diff --git a/nrpe_epel6.te b/nrpe_epel6.te deleted file mode 100644 index 032958e..0000000 --- a/nrpe_epel6.te +++ /dev/null @@ -1,29 +0,0 @@ -# this file was contributed by David Galloway. Thank you. -module nrpe_epel 1.0; - -require { - type fsadm_exec_t; - type hostname_exec_t; - type hwdata_t; - type nrpe_t; - type scsi_generic_device_t; - type tmp_t; - class capability { sys_admin sys_rawio }; - class chr_file { ioctl open read write }; - class dir { add_name remove_name search write }; - class file { create execute getattr open read unlink write }; - class unix_dgram_socket sendto; -} - -#============= nrpe_t ============== - -allow nrpe_t fsadm_exec_t:file { execute getattr open read }; -allow nrpe_t hostname_exec_t:file execute; -allow nrpe_t hwdata_t:dir search; -allow nrpe_t hwdata_t:file { getattr open read }; -allow nrpe_t scsi_generic_device_t:chr_file { ioctl open read write }; -allow nrpe_t self:capability { sys_admin sys_rawio }; -allow nrpe_t self:unix_dgram_socket sendto; -allow nrpe_t tmp_t:dir { add_name remove_name write }; -allow nrpe_t tmp_t:file unlink; -allow nrpe_t tmp_t:file { create open write }; From 60bda2624d52a379a9aaad2c718fa021895ce980 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Dec 08 2021 10:40:07 +0000 Subject: [PATCH 2/5] Fix build on EL9 --- diff --git a/nrpe.spec b/nrpe.spec index b30de39..82b18b4 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -113,7 +113,7 @@ CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" LDFLAGS="%{?__global_ldflags}" --localstatedir=%{_localstatedir}/run/ \ --enable-command-args -%if 0%{?fedora} > 35 +%if 0%{?fedora} > 35 || 0%{?rhel} > 8 # do not use get_dh2048 on openssl3 sed -i "s/#define USE_SSL_DH 1/#undef USE_SSL_DH/" include/config.h %endif From d1bcadca54c09d1970e78c4d54b3d127b8217921 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Dec 08 2021 10:40:07 +0000 Subject: [PATCH 3/5] Make use of %%license --- diff --git a/nrpe.spec b/nrpe.spec index 82b18b4..87d15ae 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -199,12 +199,14 @@ fi %config(noreplace) %{_sysconfdir}/nagios/nrpe.cfg %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %config(noreplace) %{_tmpfilesdir}/%{name}.conf -%doc CHANGELOG.md LICENSE.md LEGAL README.md README.SSL.md SECURITY.md docs/NRPE.pdf +%license LICENSE.md +%doc CHANGELOG.md LEGAL README.md README.SSL.md SECURITY.md docs/NRPE.pdf %dir %attr(775, %{name}, %{name}) %{_localstatedir}/run/%{name} %files -n nagios-plugins-nrpe %{_libdir}/nagios/plugins/check_nrpe -%doc CHANGELOG.md LICENSE.md LEGAL README.md +%license LICENSE.md +%doc CHANGELOG.md LEGAL README.md %if 0%{?rhel} > 5 %files selinux From ea6c85c56c5b9d898986ea7ac0dede3868d0f40e Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Dec 08 2021 10:56:27 +0000 Subject: [PATCH 4/5] Cosmetic typo fixes --- diff --git a/nrpe.spec b/nrpe.spec index 87d15ae..76bc4db 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -59,7 +59,7 @@ Provides: nagios-nrpe = %{version}-%{release} %description Nrpe is a system daemon that will execute various Nagios plugins locally on behalf of a remote (monitoring) host that uses the -check_nrpe plugin. Various plugins that can be executed by the +check_nrpe plugin. Various plugins that can be executed by the daemon are available at: http://sourceforge.net/projects/nagiosplug @@ -73,7 +73,7 @@ Provides: check_nrpe = %{version}-%{release} %description -n nagios-plugins-nrpe Nrpe is a system daemon that will execute various Nagios plugins locally on behalf of a remote (monitoring) host that uses the -check_nrpe plugin. Various plugins that can be executed by the +check_nrpe plugin. Various plugins that can be executed by the daemon are available at: http://sourceforge.net/projects/nagiosplug @@ -145,7 +145,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/sysconfig/%{name} install -d %{buildroot}%{_sysconfdir}/nrpe.d install -d %{buildroot}%{_localstatedir}/run/%{name} install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf -%if 0%{?rhel} >5 +%if 0%{?rhel} > 5 # Selinux configs install -p -m 644 -D %{name}_epel.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/%{name}_epel.pp %endif @@ -165,16 +165,16 @@ getent group nagios >/dev/null && %{_sbindir}/usermod -a -G nagios %{name} || : %postun %systemd_postun_with_restart nrpe.service -%if 0%{?rhel} >5 +%if 0%{?rhel} > 5 %post selinux -if [ "$1" -le "1" ]; then # Fist install +if [ "$1" -le "1" ]; then # First install semodule -i %{_datadir}/selinux/packages/%{name}/%{name}_epel.pp 2>/dev/null || : fixfiles -R %{name} restore || : %systemd_postun_with_restart %{name}.service fi %endif -%if 0%{?rhel} >5 +%if 0%{?rhel} > 5 %preun selinux if [ "$1" -lt "1" ]; then # Final removal semodule -r %{name}_epel 2>/dev/null || : @@ -183,14 +183,14 @@ if [ "$1" -lt "1" ]; then # Final removal fi %endif -%if 0%{?rhel} >5 +%if 0%{?rhel} > 5 %postun selinux if [ "$1" -ge "1" ]; then # Upgrade # Replaces the module if it is already loaded semodule -i %{_datadir}/selinux/packages/%{name}/%{name}_epel.pp 2>/dev/null || : - # no need to restart the daemon + # no need to restart the daemon fi -%endif +%endif %files %{_unitdir}/%{name}.service @@ -254,8 +254,8 @@ fi * Sun Apr 5 2020 Martin Jackson - 4.0.2-2 - New upstream version - Update patch for indlude_dir -- Fix BZ#1816816 - CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type conversion -- Fix BZ#1816805 - CVE-2020-6581 nrpe: insufficient filtering and incorrect parsing of the configuration file may lead to command injection +- Fix BZ#1816816 - CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type conversion +- Fix BZ#1816805 - CVE-2020-6581 nrpe: insufficient filtering and incorrect parsing of the configuration file may lead to command injection * Wed Jan 29 2020 Fedora Release Engineering - 3.2.1-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild @@ -306,7 +306,7 @@ fi - Forgot to up the release. * Fri Jul 21 2017 Stephen Smoogen - 3.2.0-3 -- Clean out nrpe.fc as that breaks silently +- Clean out nrpe.fc as that breaks silently * Wed Jul 19 2017 Stephen Smoogen - 3.2.0-3 - Remove git from release name From e8d9b16ef70f8a7caf9a3243b9d269a6eaf39f88 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Dec 08 2021 11:51:09 +0000 Subject: [PATCH 5/5] Bump release and add changelog entry --- diff --git a/nrpe.spec b/nrpe.spec index 76bc4db..14caafe 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -11,9 +11,9 @@ Name: nrpe Version: 4.0.3 %if 0%{?fromgit} -Release: 9%{?fromgit:.%{commdate}git%{shortcommit}}%{?dist} +Release: 10%{?fromgit:.%{commdate}git%{shortcommit}}%{?dist} %else -Release: 9%{?dist} +Release: 10%{?dist} %endif Summary: Host/service/network monitoring agent for Nagios @@ -215,6 +215,11 @@ fi %endif %changelog +* Wed Dec 08 2021 Xavier Bachelot - 4.0.3-10 +- Drop EL6 support +- Fix EL9 build +- Use %%license + * Thu Nov 11 2021 Ján ONDREJ (SAL) - 4.0.3-9 - Don't use get_dh on Fedora 36 - OpenSSL 3. (bz#2021958) - Remove unknown --with-init-dir configure parameter.