rpms
/
openwsman
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:i10cs
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'i10cs' and 'c9' have entirely different histories.
i10cs ... c9

14 changed files with 330 additions and 453 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1,2 +1,2 @@
SOURCES/openwsmand.8.gz
SOURCES/v2.7.2.tar.gz
SOURCES/v2.6.8.tar.gz

2
.openwsman.metadata
Unescape View File

@ -1,2 +1,2 @@
a6a8bbbfa71ce04bedae55f2f06ce97089b6c5e1 SOURCES/openwsmand.8.gz
e051e9f630fb4465d46b7c926a622ddcce3f193d SOURCES/v2.7.2.tar.gz
e061a41b3d5f5fa4ee284726d283e15f4a0e8c46 SOURCES/v2.6.8.tar.gz

8
SOURCES/openwsman-2.4.12-ruby-binding-build.patch
Unescape View File

@ -1,12 +1,12 @@
diff -up openwsman-2.7.2/bindings/ruby/extconf.rb.orig openwsman-2.7.2/bindings/ruby/extconf.rb
--- openwsman-2.7.2/bindings/ruby/extconf.rb.orig 2022-12-28 16:43:03.000000000 +0100
+++ openwsman-2.7.2/bindings/ruby/extconf.rb 2023-08-09 12:50:21.361216733 +0200
diff -up openwsman-2.4.12/bindings/ruby/extconf.rb.orig openwsman-2.4.12/bindings/ruby/extconf.rb
--- openwsman-2.4.12/bindings/ruby/extconf.rb.orig 2015-02-09 09:28:58.232581263 +0100
+++ openwsman-2.4.12/bindings/ruby/extconf.rb 2015-02-09 09:38:22.836772879 +0100
@@ -32,7 +32,7 @@ swig = find_executable("swig")
raise "SWIG not found" unless swig
major, minor, path = RUBY_VERSION.split(".")
-raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -o openwsman_wrap.c openwsman.i")
+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.7.2/include/ -o openwsman_wrap.c openwsman.i")
+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.6.8/include/ -o openwsman_wrap.c openwsman.i")
$CPPFLAGS = "-I/usr/include/openwsman -I.."

52
SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig openwsman-2.7.0/src/server/shttpd/compat_unix.h
--- openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig 2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/compat_unix.h 2021-03-09 09:15:26.750942006 +0100
diff -up openwsman-2.6.8/src/server/shttpd/compat_unix.h.orig openwsman-2.6.8/src/server/shttpd/compat_unix.h
--- openwsman-2.6.8/src/server/shttpd/compat_unix.h.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/compat_unix.h 2018-11-22 13:30:10.756423510 +0100
@@ -27,10 +27,6 @@
pthread_create(&tid, NULL, (void *(*)(void *))a, c); } while (0)
#endif /* !NO_THREADS */
@ -12,10 +12,10 @@ diff -up openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig openwsman-2.7.0/sr
#define DIRSEP '/'
#define IS_DIRSEP_CHAR(c) ((c) == '/')
#define O_BINARY 0
diff -up openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig openwsman-2.7.0/src/server/shttpd/io_ssl.c
--- openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig 2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/io_ssl.c 2021-03-09 09:15:26.750942006 +0100
@@ -11,28 +11,6 @@
diff -up openwsman-2.6.8/src/server/shttpd/io_ssl.c.orig openwsman-2.6.8/src/server/shttpd/io_ssl.c
--- openwsman-2.6.8/src/server/shttpd/io_ssl.c.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/io_ssl.c 2018-11-22 13:30:10.757423510 +0100
@@ -11,23 +11,6 @@
#include "defs.h"
#if !defined(NO_SSL)
@ -29,13 +29,8 @@ diff -up openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig openwsman-2.7.0/src/ser
- {"SSL_set_fd", {0}},
- {"SSL_new", {0}},
- {"SSL_CTX_new", {0}},
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- {"SSLv23_server_method", {0}},
- {"SSL_library_init", {0}},
-#else
- {"TLS_server_method", {0}},
- {"OPENSSL_init_ssl", {0}},
-#endif
- {"SSL_CTX_use_PrivateKey_file", {0}},
- {"SSL_CTX_use_certificate_file",{0}},
- {NULL, {0}}
@ -44,10 +39,10 @@ diff -up openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig openwsman-2.7.0/src/ser
void
_shttpd_ssl_handshake(struct stream *stream)
{
diff -up openwsman-2.7.0/src/server/shttpd/shttpd.c.orig openwsman-2.7.0/src/server/shttpd/shttpd.c
--- openwsman-2.7.0/src/server/shttpd/shttpd.c.orig 2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/shttpd.c 2021-03-09 09:16:58.843241510 +0100
@@ -1489,25 +1489,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch
diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c 2018-11-22 13:30:41.314416695 +0100
@@ -1476,20 +1476,14 @@ set_ssl(struct shttpd_ctx *ctx, const ch
int retval = FALSE;
EC_KEY* key;
@ -64,20 +59,20 @@ diff -up openwsman-2.7.0/src/server/shttpd/shttpd.c.orig openwsman-2.7.0/src/ser
- }
-
/* Initialize SSL crap */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ debug("Initialize SSL");
+ SSL_load_error_strings();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ OPENSSL_init_ssl(0, NULL);
+#else
SSL_library_init();
+#endif
if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
#else
- OPENSSL_init_ssl();
+ OPENSSL_init_ssl(0, NULL);
if ((CTX = SSL_CTX_new(TLS_server_method())) == NULL)
#endif
_shttpd_elog(E_LOG, NULL, "SSL_CTX_new error");
diff -up openwsman-2.7.0/src/server/shttpd/ssl.h.orig openwsman-2.7.0/src/server/shttpd/ssl.h
--- openwsman-2.7.0/src/server/shttpd/ssl.h.orig 2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/ssl.h 2021-03-09 09:15:26.750942006 +0100
@@ -12,55 +12,4 @@
diff -up openwsman-2.6.8/src/server/shttpd/ssl.h.orig openwsman-2.6.8/src/server/shttpd/ssl.h
--- openwsman-2.6.8/src/server/shttpd/ssl.h.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/ssl.h 2018-11-22 13:30:10.757423510 +0100
@@ -12,52 +12,4 @@
#include <openssl/ssl.h>
@ -125,9 +120,6 @@ diff -up openwsman-2.7.0/src/server/shttpd/ssl.h.orig openwsman-2.7.0/src/server
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define SSLv23_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))()
-#define SSL_library_init() (* (int (*)(void)) FUNC(10))()
-#else
-#define TLS_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))()
-#define OPENSSL_init_ssl() (* (int (*)(void)) FUNC(10))()
#endif
-#define SSL_CTX_use_PrivateKey_file(x,y,z) (* (int (*)(SSL_CTX *, \
- const char *, int)) FUNC(11))((x), (y), (z))

27
SOURCES/openwsman-2.6.5-libcurl-error-codes-update.patch
Unescape View File

@ -0,0 +1,27 @@
diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig 2018-11-14 13:53:27.442138557 +0100
+++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c 2018-11-14 14:11:28.508714204 +0100
@@ -186,16 +186,23 @@ convert_to_last_error(CURLcode r)
return WS_LASTERR_SSL_CONNECT_ERROR;
case CURLE_BAD_FUNCTION_ARGUMENT:
return WS_LASTERR_CURL_BAD_FUNCTION_ARG;
+#if LIBCURL_VERSION_NUM < 0x073E00
case CURLE_SSL_PEER_CERTIFICATE:
return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
case CURLE_SSL_ENGINE_NOTFOUND:
return WS_LASTERR_SSL_ENGINE_NOTFOUND;
case CURLE_SSL_ENGINE_SETFAILED:
return WS_LASTERR_SSL_ENGINE_SETFAILED;
case CURLE_SSL_CERTPROBLEM:
return WS_LASTERR_SSL_CERTPROBLEM;
+#if LIBCURL_VERSION_NUM < 0x073E00
case CURLE_SSL_CACERT:
return WS_LASTERR_SSL_CACERT;
+#else
+ case CURLE_PEER_FAILED_VERIFICATION:
+ return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
#if LIBCURL_VERSION_NUM > 0x70C01
case CURLE_SSL_ENGINE_INITFAILED:
return WS_LASTERR_SSL_ENGINE_INITFAILED;

79
SOURCES/openwsman-2.6.8-CVE-2019-3816.patch
Unescape View File

@ -0,0 +1,79 @@
diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig 2019-03-13 08:52:06.112090942 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c 2019-03-13 09:01:15.496156789 +0100
@@ -336,10 +336,12 @@ date_to_epoch(const char *s)
}
static void
-remove_double_dots(char *s)
+remove_all_leading_dots(char *s)
{
char *p = s;
+ while (*s != '\0' && *s == '.') s++;
+
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\')
@@ -546,7 +548,7 @@ decide_what_to_do(struct conn *c)
*c->query++ = '\0';
_shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1);
- remove_double_dots(c->uri);
+ remove_all_leading_dots(c->uri);
root = c->ctx->options[OPT_ROOT];
if (strlen(c->uri) + strlen(root) >= sizeof(path)) {
@@ -556,6 +558,7 @@ decide_what_to_do(struct conn *c)
(void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri);
+ DBG(("decide_what_to_do -> processed path: [%s]", path));
/* User may use the aliases - check URI for mount point */
if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) {
(void) _shttpd_snprintf(path, sizeof(path), "%.*s%s",
@@ -572,7 +575,10 @@ decide_what_to_do(struct conn *c)
if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) {
_shttpd_setup_embedded_stream(c,
ruri->callback, ruri->callback_data);
- } else
+ } else {
+ _shttpd_send_server_error(c, 403, "Forbidden");
+ }
+#if 0
if (strstr(path, HTPASSWD)) {
/* Do not allow to view passwords files */
_shttpd_send_server_error(c, 403, "Forbidden");
@@ -656,6 +662,7 @@ decide_what_to_do(struct conn *c)
} else {
_shttpd_send_server_error(c, 500, "Internal Error");
}
+#endif
}
static int
diff -up openwsman-2.6.8/src/server/wsmand.c.orig openwsman-2.6.8/src/server/wsmand.c
--- openwsman-2.6.8/src/server/wsmand.c.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/wsmand.c 2019-03-13 09:03:25.919181279 +0100
@@ -198,6 +198,10 @@ static void daemonize(void)
int fd;
char *pid;
+ /* Change our CWD to / */
+ i = chdir("/");
+ assert(i == 0);
+
if (wsmand_options_get_foreground_debug() > 0) {
return;
}
@@ -214,10 +218,6 @@ static void daemonize(void)
log_pid = 0;
setsid();
- /* Change our CWD to / */
- i=chdir("/");
- assert(i == 0);
-
/* Close all file descriptors. */
for (i = getdtablesize(); i >= 0; --i)
close(i);

94
SOURCES/openwsman-2.6.8-CVE-2019-3833.patch
Unescape View File

@ -0,0 +1,94 @@
diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig 2019-03-13 09:32:32.417633057 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c 2019-03-13 09:58:04.482486589 +0100
@@ -705,11 +705,11 @@ parse_http_request(struct conn *c)
_shttpd_send_server_error(c, 500, "Cannot allocate request");
}
+ io_inc_tail(&c->rem.io, req_len);
+
if (c->loc.flags & FLAG_CLOSED)
return;
- io_inc_tail(&c->rem.io, req_len);
-
DBG(("Conn %d: parsing request: [%.*s]", c->rem.chan.sock, req_len, s));
c->rem.flags |= FLAG_HEADERS_PARSED;
@@ -975,7 +975,7 @@ write_stream(struct stream *from, struct
}
-static void
+static int
connection_desctructor(struct llhead *lp)
{
struct conn *c = LL_ENTRY(lp, struct conn, link);
@@ -999,7 +999,8 @@ connection_desctructor(struct llhead *lp
* Check the "Connection: " header before we free c->request
* If it its 'keep-alive', then do not close the connection
*/
- do_close = (c->ch.connection.v_vec.len >= vec.len &&
+ do_close = c->rem.flags & FLAG_CLOSED ||
+ (c->ch.connection.v_vec.len >= vec.len &&
!_shttpd_strncasecmp(vec.ptr,c->ch.connection.v_vec.ptr,vec.len)) ||
(c->major_version < 1 ||
(c->major_version >= 1 && c->minor_version < 1));
@@ -1021,7 +1022,7 @@ connection_desctructor(struct llhead *lp
io_clear(&c->loc.io);
c->birth_time = _shttpd_current_time;
if (io_data_len(&c->rem.io) > 0)
- process_connection(c, 0, 0);
+ return 1;
} else {
if (c->rem.io_class != NULL)
c->rem.io_class->close(&c->rem);
@@ -1032,6 +1033,8 @@ connection_desctructor(struct llhead *lp
free(c);
}
+
+ return 0;
}
static void
@@ -1039,7 +1042,7 @@ worker_destructor(struct llhead *lp)
{
struct worker *worker = LL_ENTRY(lp, struct worker, link);
- free_list(&worker->connections, connection_desctructor);
+ free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
free(worker);
}
@@ -1072,6 +1075,8 @@ add_to_set(int fd, fd_set *set, int *max
static void
process_connection(struct conn *c, int remote_ready, int local_ready)
{
+again:
+
/* Read from remote end if it is ready */
if (remote_ready && io_space_len(&c->rem.io))
read_stream(&c->rem);
@@ -1100,7 +1105,11 @@ process_connection(struct conn *c, int r
if ((_shttpd_current_time > c->expire_time) ||
(c->rem.flags & FLAG_CLOSED) ||
((c->loc.flags & FLAG_CLOSED) && !io_data_len(&c->loc.io)))
- connection_desctructor(&c->link);
+ if (connection_desctructor(&c->link)) {
+ remote_ready = 0;
+ local_ready = 0;
+ goto again;
+ }
}
static int
@@ -1642,7 +1651,7 @@ worker_function(void *param)
while (worker->exit_flag == 0)
poll_worker(worker, 1000 * 10);
- free_list(&worker->connections, connection_desctructor);
+ free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
free(worker);
}

56
SOURCES/openwsman-2.6.8-http-unauthorized-improve.patch
Unescape View File

@ -0,0 +1,56 @@
diff -up openwsman-2.6.8/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.8/src/lib/wsman-curl-client-transport.c
--- openwsman-2.6.8/src/lib/wsman-curl-client-transport.c.orig 2022-11-24 10:02:08.114053046 +0100
+++ openwsman-2.6.8/src/lib/wsman-curl-client-transport.c 2022-11-24 10:02:08.119053046 +0100
@@ -455,6 +455,7 @@ wsmc_handler( WsManClient *cl,
long http_code;
long auth_avail = 0;
char *_user = NULL, *_pass = NULL;
+ int _no_auth = 0; /* 0 if authentication is used, 1 if no authentication was used */
u_buf_t *response = NULL;
//char *soapaction;
char *tmp_str = NULL;
@@ -554,6 +555,7 @@ wsmc_handler( WsManClient *cl,
_user = wsmc_get_user(cl);
_pass = wsmc_get_password(cl);
if (_user && _pass && cl->data.auth_set) {
+ _no_auth = 0;
r = curl_easy_setopt(curl, CURLOPT_HTTPAUTH, cl->data.auth_set);
if (r != CURLE_OK) {
cl->fault_string = u_strdup(curl_easy_strerror(r));
@@ -574,6 +576,11 @@ wsmc_handler( WsManClient *cl,
curl_err("curl_easy_setopt(curl, CURLOPT_USERPWD, ..) failed");
goto DONE;
}
+ } else {
+ /* request without user credentials, remember this for
+ * later use when it might become necessary to print an error message
+ */
+ _no_auth = 1;
}
if (wsman_debug_level_debugged(DEBUG_LEVEL_MESSAGE)) {
@@ -606,6 +613,24 @@ wsmc_handler( WsManClient *cl,
break;
case 401:
// The server requires authentication.
+ /* RFC 2616 states:
+ *
+ * If the request already included Authorization credentials, then the 401
+ * response indicates that authorization has been refused for those
+ * credentials. If the 401 response contains the same challenge as the
+ * prior response, and the user agent has already attempted
+ * authentication at least once, then the user SHOULD be presented the
+ * entity that was given in the response, since that entity might
+ * include relevant diagnostic information.
+ */
+ if (_no_auth == 0) {
+ /* no authentication credentials were used. It is only
+ * possible to write a message about the current situation. There
+ * is no information about the last attempt to access the resource.
+ * Maybe at a later point in time I will implement more state information.
+ */
+ fprintf(stdout,"Authentication failed, please retry\n");
+ }
break;
default:
// The status code does not indicate success.

11
SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
Unescape View File

@ -1,9 +1,12 @@
diff -up openwsman-2.7.1/etc/ssleay.cnf.orig openwsman-2.7.1/etc/ssleay.cnf
--- openwsman-2.7.1/etc/ssleay.cnf.orig 2021-11-09 08:27:48.577749509 +0100
+++ openwsman-2.7.1/etc/ssleay.cnf 2021-11-09 08:28:10.499967010 +0100
@@ -3,7 +3,7 @@
diff -up openwsman-2.6.8/etc/ssleay.cnf.orig openwsman-2.6.8/etc/ssleay.cnf
--- openwsman-2.6.8/etc/ssleay.cnf.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/etc/ssleay.cnf 2020-09-22 14:27:56.216306882 +0200
@@ -2,10 +2,8 @@
# SSLeay example configuration file.
#
-RANDFILE = /dev/random
-
[ req ]
-default_bits = 1024
+default_bits = 2048

12
SOURCES/openwsman-2.7.2-fix-ftbfs.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up openwsman-2.7.2/bindings/openwsman.i.orig openwsman-2.7.2/bindings/openwsman.i
--- openwsman-2.7.2/bindings/openwsman.i.orig 2024-01-22 09:36:42.764721705 +0100
+++ openwsman-2.7.2/bindings/openwsman.i 2024-01-22 09:37:29.970817151 +0100
@@ -109,7 +109,7 @@ SWIGINTERNINLINE SV *SWIG_From_double S
%typemap(in) FILE* {
#if RUBY_VERSION > 18
- struct rb_io_t *fptr;
+ struct rb_io *fptr;
#else
struct OpenFile *fptr;
#endif

7
SOURCES/openwsman.fc
Unescape View File

@ -1,7 +0,0 @@
/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)

79
SOURCES/openwsman.if
Unescape View File

@ -1,79 +0,0 @@
## <summary>WS-Management Server</summary>
########################################
## <summary>
## Execute openwsman in the openwsman domin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`openwsman_domtrans',`
gen_require(`
type openwsman_t, openwsman_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openwsman_exec_t, openwsman_t)
')
########################################
## <summary>
## Execute openwsman server in the openwsman domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`openwsman_systemctl',`
gen_require(`
type openwsman_t;
type openwsman_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 openwsman_unit_file_t:file read_file_perms;
allow $1 openwsman_unit_file_t:service manage_service_perms;
ps_process_pattern($1, openwsman_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an openwsman environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`openwsman_admin',`
gen_require(`
type openwsman_t;
type openwsman_unit_file_t;
')
allow $1 openwsman_t:process { signal_perms };
ps_process_pattern($1, openwsman_t)
tunable_policy(`deny_ptrace',`',`
allow $1 openwsman_t:process ptrace;
')
openwsman_systemctl($1)
admin_pattern($1, openwsman_unit_file_t)
allow $1 openwsman_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

74
SOURCES/openwsman.te
Unescape View File

@ -1,74 +0,0 @@
policy_module(openwsman, 1.0.0)
########################################
#
# Declarations
#
type openwsman_t;
type openwsman_exec_t;
init_daemon_domain(openwsman_t, openwsman_exec_t)
type openwsman_tmp_t;
files_tmp_file(openwsman_tmp_t)
type openwsman_tmpfs_t;
files_tmpfs_file(openwsman_tmpfs_t)
type openwsman_log_t;
logging_log_file(openwsman_log_t)
type openwsman_run_t;
files_pid_file(openwsman_run_t)
type openwsman_unit_file_t;
systemd_unit_file(openwsman_unit_file_t)
########################################
#
# openwsman local policy
#
allow openwsman_t self:capability setuid;
allow openwsman_t self:process { fork };
allow openwsman_t self:fifo_file rw_fifo_file_perms;
allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
allow openwsman_t self:tcp_socket { accept create_socket_perms listen };
manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
auth_use_nsswitch(openwsman_t)
auth_domtrans_chkpwd(openwsman_t)
corenet_tcp_connect_pegasus_https_port(openwsman_t)
corenet_tcp_bind_vnc_port(openwsman_t)
corenet_tcp_bind_http_port(openwsman_t)
dev_read_urand(openwsman_t)
logging_send_syslog_msg(openwsman_t)
logging_send_audit_msgs(openwsman_t)
optional_policy(`
sblim_stream_connect_sfcbd(openwsman_t)
sblim_rw_semaphores_sfcbd(openwsman_t)
sblim_getattr_exec_sfcbd(openwsman_t)
')
optional_policy(`
unconfined_domain(openwsman_t)
')

280
SPECS/openwsman.spec
Unescape View File

@ -1,34 +1,12 @@
# RubyGems's macros expect gem_name to exist.
%global gem_name %{name}
# defining macros needed by SELinux
# unless running a flatpak build.
%if 0%{?flatpak}
%global with_selinux 0
%else
%global with_selinux 1
%global selinuxtype targeted
%global modulename openwsman
%endif
# Bindings install in the wrong path for a flatpak build; this could be fixed, but
# we don't currently need the bindings for any Flatpak'ed application
%if 0%{?flatpak}
%global with_ruby 0
%global with_perl 0
%global with_python 0
%else
%global with_ruby 1
%global with_perl 1
%global with_python 1
%endif
Name: openwsman
Version: 2.7.2
Release: 9%{?dist}
Version: 2.6.8
Release: 23%{?dist}
Summary: Open source Implementation of WS-Management
License: BSD-3-Clause AND MIT
License: BSD
URL: http://www.openwsman.org/
Source0: https://github.com/Openwsman/openwsman/archive/v%{version}.tar.gz
# help2man generated manpage for openwsmand binary
@ -37,32 +15,20 @@ Source1: openwsmand.8.gz
Source2: openwsmand.service
# script for testing presence of the certificates in ExecStartPre
Source3: owsmantestcert.sh
# Source100-102: selinux policy for openwsman, extracted
# from https://github.com/fedora-selinux/selinux-policy
%if 0%{with_selinux}
Source100: %{modulename}.te
Source101: %{modulename}.if
Source102: %{modulename}.fc
%endif
Patch1: openwsman-2.4.0-pamsetup.patch
Patch2: openwsman-2.4.12-ruby-binding-build.patch
Patch3: openwsman-2.6.2-openssl-1.1-fix.patch
Patch4: openwsman-2.6.5-http-status-line.patch
Patch5: openwsman-2.6.8-update-ssleay-conf.patch
Patch6: openwsman-2.7.2-fix-ftbfs.patch
BuildRequires: make
Patch5: openwsman-2.6.5-libcurl-error-codes-update.patch
Patch6: openwsman-2.6.8-CVE-2019-3816.patch
Patch7: openwsman-2.6.8-CVE-2019-3833.patch
Patch8: openwsman-2.6.8-update-ssleay-conf.patch
Patch9: openwsman-2.6.8-http-unauthorized-improve.patch
BuildRequires: make
BuildRequires: swig
BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel
%if %{with_python}
BuildRequires: python3 python3-devel
%endif
%if %{with_ruby}
BuildRequires: ruby ruby-devel rubygems-devel
%endif
%if %{with_perl}
BuildRequires: perl-interpreter perl-devel perl-generators
%endif
BuildRequires: pkgconfig openssl-devel
BuildRequires: python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter
BuildRequires: perl-devel perl-generators pkgconfig openssl-devel
BuildRequires: cmake
BuildRequires: systemd-units
BuildRequires: gcc gcc-c++
@ -77,7 +43,7 @@ requirements that exposes a set of operations focused on and covers
all system management aspects.
%package -n libwsman1
License: BSD-3-Clause AND MIT
License: BSD
Summary: Open source Implementation of WS-Management
Provides: %{name} = %{version}-%{release}
Obsoletes: %{name} < %{version}-%{release}
@ -86,7 +52,7 @@ Obsoletes: %{name} < %{version}-%{release}
Openwsman library for packages dependent on openwsman.
%package -n libwsman-devel
License: BSD-3-Clause AND MIT
License: BSD
Summary: Open source Implementation of WS-Management
Provides: %{name}-devel = %{version}-%{release}
Obsoletes: %{name}-devel < %{version}-%{release}
@ -100,28 +66,22 @@ Requires: libcurl-devel
Development files for openwsman.
%package client
License: BSD-3-Clause AND MIT
License: BSD
Summary: Openwsman Client libraries
%description client
Openwsman Client libraries.
%package server
License: BSD-3-Clause AND MIT
License: BSD
Summary: Openwsman Server and service libraries
Requires: libwsman1 = %{version}-%{release}
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not pulled
# into containers and other systems that do not use SELinux
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description server
Openwsman Server and service libraries.
%if %{with_python}
%package python3
License: BSD-3-Clause AND MIT
License: BSD
Summary: Python bindings for openwsman client API
Requires: %{__python3}
Requires: libwsman1 = %{version}-%{release}
@ -129,11 +89,9 @@ Requires: libwsman1 = %{version}-%{release}
%description python3
This package provides Python3 bindings to access the openwsman client API.
%endif
%if %{with_ruby}
%package -n rubygem-%{gem_name}
License: BSD-3-Clause AND MIT
License: BSD
Summary: Ruby client bindings for Openwsman
Obsoletes: %{name}-ruby < %{version}-%{release}
Requires: libwsman1 = %{version}-%{release}
@ -149,17 +107,15 @@ BuildArch: noarch
%description -n rubygem-%{gem_name}-doc
Documentation for rubygem-%{gem_name}
%endif
%if %{with_perl}
%package perl
License: BSD-3-Clause AND MIT
License: BSD
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Summary: Perl bindings for openwsman client API
Requires: libwsman1 = %{version}-%{release}
%description perl
This package provides Perl bindings to access the openwsman client API.
%endif
%package winrs
Summary: Windows Remote Shell
@ -169,24 +125,18 @@ Requires: rubygem-%{gem_name} = %{version}-%{release}
This is a command line tool for the Windows Remote Shell protocol.
You can use it to send shell commands to a remote Windows hosts.
%if 0%{?with_selinux}
# SELinux subpackage
%package selinux
Summary: openwsman SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
Custom SELinux policy module
%endif
%prep
%setup -q
%autopatch -p1
%patch1 -p1 -b .pamsetup
%patch2 -p1 -b .ruby-binding-build
%patch3 -p1 -b .openssl-1.1-fix
%patch4 -p1 -b .http-status-line
%patch5 -p1 -b .libcurl-error-codes-update
%patch6 -p1 -b .CVE-2019-3816
%patch7 -p1 -b .CVE-2019-3833
%patch8 -p1 -b .update-ssleay-conf
%patch9 -p1 -b .http-unauthorized-improve
%build
# Removing executable permissions on .c and .h files to fix rpmlint warnings.
@ -200,7 +150,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
export CXXFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
cd build
cmake \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_VERBOSE_MAKEFILE=TRUE \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS_RELEASE:STRING="$RPM_OPT_FLAGS -fno-strict-aliasing" \
@ -210,20 +160,10 @@ cmake \
-DLIB=%{_lib} \
-DBUILD_JAVA=no \
-DBUILD_PYTHON=no \
%if ! %{with_python}
-DBUILD_PYTHON3=no \
%endif
%if ! %{with_perl}
-DBUILD_PERL=no \
%endif
%if ! %{with_ruby}
-DBUILD_RUBY=no \
%endif
..
make
%if %{with_ruby}
# Make the freshly build openwsman libraries available to build the gem's
# binary extension.
export LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib
@ -231,34 +171,20 @@ export CPATH=%{_builddir}/%{name}-%{version}/include/
export LD_LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib/
%gem_install -n ./bindings/ruby/%{name}-%{version}.gem
%endif
%if 0%{?with_selinux}
# SELinux policy (originally from selinux-policy-contrib)
# this policy module will override the production module
mkdir selinux
cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/
make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
bzip2 -9 %{modulename}.pp
%endif
%install
cd build
%if %{with_ruby}
# Do not install the ruby extension, we are proviging the rubygem- instead.
echo -n > bindings/ruby/cmake_install.cmake
%endif
%make_install
cd ..
rm -f %{buildroot}/%{_libdir}/*.la
rm -f %{buildroot}/%{_libdir}/openwsman/plugins/*.la
rm -f %{buildroot}/%{_libdir}/openwsman/authenticators/*.la
%if %{with_ruby}
[ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsmanplugin.rb
[ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsman.rb
%endif
mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 644 etc/openwsman.conf %{buildroot}/%{_sysconfdir}/openwsman
install -m 644 etc/openwsman_client.conf %{buildroot}/%{_sysconfdir}/openwsman
@ -274,7 +200,6 @@ install -m 644 include/wsman-xml.h %{buildroot}/%{_includedir}/openwsman
install -m 644 include/wsman-xml-binding.h %{buildroot}/%{_includedir}/openwsman
install -m 644 include/wsman-dispatcher.h %{buildroot}/%{_includedir}/openwsman
%if %{with_ruby}
mkdir -p %{buildroot}%{gem_dir}
cp -pa ./build%{gem_dir}/* \
%{buildroot}%{gem_dir}/
@ -283,12 +208,6 @@ rm -rf %{buildroot}%{gem_instdir}/ext
mkdir -p %{buildroot}%{gem_extdir_mri}
cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdir_mri}/
%endif
%if 0%{?with_selinux}
install -D -m 0644 build/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
install -D -p -m 0644 build/selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
%ldconfig_scriptlets -n libwsman1
@ -306,28 +225,6 @@ rm -f /var/log/wsmand.log
%ldconfig_scriptlets client
%if 0%{?with_selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
if [ "$1" -le "1" ]; then # First install
# the service needs to be restarted for the custom label to be applied
%systemd_postun_with_restart openwsmand.service
fi
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
%selinux_relabel_post -s %{selinuxtype}
fi
%endif
%files -n libwsman1
%doc AUTHORS COPYING ChangeLog README.md TODO
%{_libdir}/libwsman.so.*
@ -340,15 +237,12 @@ fi
%{_libdir}/pkgconfig/*
%{_libdir}/*.so
%if %{with_python}
%files python3
%doc AUTHORS COPYING ChangeLog README.md
%{python3_sitearch}/*.so
%{python3_sitearch}/*.py
%{python3_sitearch}/__pycache__/*
%endif
%if %{with_ruby}
%files -n rubygem-%{gem_name}
%doc AUTHORS COPYING ChangeLog README.md
%dir %{gem_instdir}
@ -356,19 +250,14 @@ fi
%{gem_extdir_mri}
%exclude %{gem_cache}
%{gem_spec}
%endif
%if %{with_ruby}
%files -n rubygem-%{gem_name}-doc
%doc %{gem_docdir}
%endif
%if %{with_perl}
%files perl
%doc AUTHORS COPYING ChangeLog README.md
%{perl_vendorarch}/openwsman.so
%{perl_vendorlib}/openwsman.pm
%endif
%files server
%doc AUTHORS COPYING ChangeLog README.md
@ -400,112 +289,21 @@ fi
%files winrs
%{_bindir}/winrs
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%endif
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.7.2-9
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.7.2-8
- Rebuilt for MSVSphere 10
* Thu Aug 08 2024 Troy Dawson <tdawson@redhat.com> - 2.7.2-8
- Bump release for Aug 2024 java mass rebuild
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.7.2-7
- Bump release for June 2024 mass rebuild
* Thu May 09 2024 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.2-6
- Update license tags in subpackages to SPDX format
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jan 22 2024 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.2-4
- Fix FTBFS
Resolves: #2259165
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jan 03 2024 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7.2-2
- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.3
* Thu Aug 31 2023 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.2-1
- Update to openwsman-2.7.2
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 2.7.1-13
- Perl 5.38 rebuild
* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 2.7.1-12
- Rebuilt for Python 3.12
* Tue Feb 14 2023 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.1-11
- SPDX migration
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 04 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7.1-9
- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.2
* Fri Oct 21 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.1-8
- Fix Ruby bindings for swig 4.1 (backported from upstream)
Resolves: #2136510
- Remove mixed use of spaces and tabs from spec file
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jul 20 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.1-6
* Thu Nov 24 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-23
- Improve handling of HTTP 401 Unauthorized
Resolves: #2127415
* Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 2.7.1-5
- Rebuilt for Python 3.11
* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.7.1-4
- Perl 5.36 rebuild
* Thu Jan 27 2022 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7.1-3
- F-36: rebuild against ruby31
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Nov 11 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.1-1
- Update to openwsman-2.7.1
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.7.0-6
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jun 08 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.0-4
- Incorporate -selinux subpackage
See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 2.7.0-3
- Rebuilt for Python 3.10
* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.7.0-2
- Perl 5.34 rebuild
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-22
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Mar 09 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.0-1
- Update to openwsman-2.7.0 (thanks for a patch to Bastian Germann)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-21
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.6.8-20
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-20
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save