diff --git a/openwsman-2.4.0-pamsetup.patch b/openwsman-2.4.0-pamsetup.patch new file mode 100644 index 0000000000000000000000000000000000000000..466b5df07e96ba01bdb2d506d83155a24ae47868 --- /dev/null +++ b/openwsman-2.4.0-pamsetup.patch @@ -0,0 +1,13 @@ +diff -up openwsman-2.6.8/etc/pam/openwsman.orig openwsman-2.6.8/etc/pam/openwsman +--- openwsman-2.6.8/etc/pam/openwsman.orig 2018-11-21 13:51:52.776325243 +0100 ++++ openwsman-2.6.8/etc/pam/openwsman 2018-11-21 13:54:17.066351134 +0100 +@@ -2,6 +2,6 @@ + auth required pam_unix.so nullok + auth required pam_nologin.so + account required pam_unix.so +-password required pam_cracklib.so nullok +-password required pam_unix.so nullok use_first_pass use_authtok nis shadow +-session required pam_unix.so none ++password required pam_pwquality.so ++password required pam_unix.so nullok use_first_pass use_authtok ++session required pam_unix.so diff --git a/openwsman-2.4.12-ruby-binding-build.patch b/openwsman-2.4.12-ruby-binding-build.patch new file mode 100644 index 0000000000000000000000000000000000000000..829e07d09bb630b7100a65bf5d90b2b19216ec66 --- /dev/null +++ b/openwsman-2.4.12-ruby-binding-build.patch @@ -0,0 +1,12 @@ +diff -up openwsman-2.4.12/bindings/ruby/extconf.rb.orig openwsman-2.4.12/bindings/ruby/extconf.rb +--- openwsman-2.4.12/bindings/ruby/extconf.rb.orig 2015-02-09 09:28:58.232581263 +0100 ++++ openwsman-2.4.12/bindings/ruby/extconf.rb 2015-02-09 09:38:22.836772879 +0100 +@@ -32,7 +32,7 @@ swig = find_executable("swig") + raise "SWIG not found" unless swig + + major, minor, path = RUBY_VERSION.split(".") +-raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -o openwsman_wrap.c openwsman.i") ++raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.7.2/include/ -o openwsman_wrap.c openwsman.i") + + $CPPFLAGS = "-I/usr/include/openwsman -I.." + diff --git a/openwsman-2.6.2-openssl-1.1-fix.patch b/openwsman-2.6.2-openssl-1.1-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d64644716e510d34b9e0009b01a528b2b51cfa0 --- /dev/null +++ b/openwsman-2.6.2-openssl-1.1-fix.patch @@ -0,0 +1,135 @@ +diff -up openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig openwsman-2.7.0/src/server/shttpd/compat_unix.h +--- openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig 2020-05-25 15:16:28.000000000 +0200 ++++ openwsman-2.7.0/src/server/shttpd/compat_unix.h 2021-03-09 09:15:26.750942006 +0100 +@@ -27,10 +27,6 @@ + pthread_create(&tid, NULL, (void *(*)(void *))a, c); } while (0) + #endif /* !NO_THREADS */ + +-#ifndef SSL_LIB +-#define SSL_LIB "libssl.so" +-#endif +- + #define DIRSEP '/' + #define IS_DIRSEP_CHAR(c) ((c) == '/') + #define O_BINARY 0 +diff -up openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig openwsman-2.7.0/src/server/shttpd/io_ssl.c +--- openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig 2020-05-25 15:16:28.000000000 +0200 ++++ openwsman-2.7.0/src/server/shttpd/io_ssl.c 2021-03-09 09:15:26.750942006 +0100 +@@ -11,28 +11,6 @@ + #include "defs.h" + + #if !defined(NO_SSL) +-struct ssl_func ssl_sw[] = { +- {"SSL_free", {0}}, +- {"SSL_accept", {0}}, +- {"SSL_connect", {0}}, +- {"SSL_read", {0}}, +- {"SSL_write", {0}}, +- {"SSL_get_error", {0}}, +- {"SSL_set_fd", {0}}, +- {"SSL_new", {0}}, +- {"SSL_CTX_new", {0}}, +-#if OPENSSL_VERSION_NUMBER < 0x10100000L +- {"SSLv23_server_method", {0}}, +- {"SSL_library_init", {0}}, +-#else +- {"TLS_server_method", {0}}, +- {"OPENSSL_init_ssl", {0}}, +-#endif +- {"SSL_CTX_use_PrivateKey_file", {0}}, +- {"SSL_CTX_use_certificate_file",{0}}, +- {NULL, {0}} +-}; +- + void + _shttpd_ssl_handshake(struct stream *stream) + { +diff -up openwsman-2.7.0/src/server/shttpd/shttpd.c.orig openwsman-2.7.0/src/server/shttpd/shttpd.c +--- openwsman-2.7.0/src/server/shttpd/shttpd.c.orig 2020-05-25 15:16:28.000000000 +0200 ++++ openwsman-2.7.0/src/server/shttpd/shttpd.c 2021-03-09 09:16:58.843241510 +0100 +@@ -1489,25 +1489,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch + int retval = FALSE; + EC_KEY* key; + +- /* Load SSL library dynamically */ +- if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) { +- _shttpd_elog(E_LOG, NULL, "set_ssl: cannot load %s", SSL_LIB); +- return (FALSE); +- } +- +- for (fp = ssl_sw; fp->name != NULL; fp++) +- if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) { +- _shttpd_elog(E_LOG, NULL,"set_ssl: cannot find %s", fp->name); +- return (FALSE); +- } +- + /* Initialize SSL crap */ + + #if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_library_init(); + if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) + #else +- OPENSSL_init_ssl(); ++ OPENSSL_init_ssl(0, NULL); + if ((CTX = SSL_CTX_new(TLS_server_method())) == NULL) + #endif + _shttpd_elog(E_LOG, NULL, "SSL_CTX_new error"); +diff -up openwsman-2.7.0/src/server/shttpd/ssl.h.orig openwsman-2.7.0/src/server/shttpd/ssl.h +--- openwsman-2.7.0/src/server/shttpd/ssl.h.orig 2020-05-25 15:16:28.000000000 +0200 ++++ openwsman-2.7.0/src/server/shttpd/ssl.h 2021-03-09 09:15:26.750942006 +0100 +@@ -12,55 +12,4 @@ + + #include + +-#else +- +-/* +- * Snatched from OpenSSL includes. I put the prototypes here to be independent +- * from the OpenSSL source installation. Having this, shttpd + SSL can be +- * built on any system with binary SSL libraries installed. +- */ +- +-typedef struct ssl_st SSL; +-typedef struct ssl_method_st SSL_METHOD; +-typedef struct ssl_ctx_st SSL_CTX; +- +-#define SSL_ERROR_WANT_READ 2 +-#define SSL_ERROR_WANT_WRITE 3 +-#define SSL_ERROR_SYSCALL 5 +-#define SSL_FILETYPE_PEM 1 +- +-#endif +- +-/* +- * Dynamically loaded SSL functionality +- */ +-struct ssl_func { +- const char *name; /* SSL function name */ +- union variant ptr; /* Function pointer */ +-}; +- +-extern struct ssl_func ssl_sw[]; +- +-#define FUNC(x) ssl_sw[x].ptr.v_func +- +-#define SSL_free(x) (* (void (*)(SSL *)) FUNC(0))(x) +-#define SSL_accept(x) (* (int (*)(SSL *)) FUNC(1))(x) +-#define SSL_connect(x) (* (int (*)(SSL *)) FUNC(2))(x) +-#define SSL_read(x,y,z) (* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z)) +-#define SSL_write(x,y,z) \ +- (* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z)) +-#define SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y)) +-#define SSL_set_fd(x,y) (* (int (*)(SSL *, int)) FUNC(6))((x), (y)) +-#define SSL_new(x) (* (SSL * (*)(SSL_CTX *)) FUNC(7))(x) +-#define SSL_CTX_new(x) (* (SSL_CTX * (*)(const SSL_METHOD *)) FUNC(8))(x) +-#if OPENSSL_VERSION_NUMBER < 0x10100000L +-#define SSLv23_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))() +-#define SSL_library_init() (* (int (*)(void)) FUNC(10))() +-#else +-#define TLS_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))() +-#define OPENSSL_init_ssl() (* (int (*)(void)) FUNC(10))() + #endif +-#define SSL_CTX_use_PrivateKey_file(x,y,z) (* (int (*)(SSL_CTX *, \ +- const char *, int)) FUNC(11))((x), (y), (z)) +-#define SSL_CTX_use_certificate_file(x,y,z) (* (int (*)(SSL_CTX *, \ +- const char *, int)) FUNC(12))((x), (y), (z)) diff --git a/openwsman-2.6.5-http-status-line.patch b/openwsman-2.6.5-http-status-line.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5715088dcc8ea2b0868611c043b4961381f5d22 --- /dev/null +++ b/openwsman-2.6.5-http-status-line.patch @@ -0,0 +1,39 @@ +diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c +--- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig 2016-07-27 16:03:55.000000000 +0200 ++++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c 2018-01-22 13:05:04.478923300 +0100 +@@ -344,6 +344,35 @@ DONE: + if (fault_reason == NULL) { + // this is a way to segfault, investigate + //fault_reason = shttpd_reason_phrase(status); ++ // ugly workaround follows... ++ switch (status) { ++ case 200: ++ fault_reason = "OK"; ++ break; ++ case 400: ++ fault_reason = "Bad request"; ++ break; ++ case 401: ++ fault_reason = "Unauthorized"; ++ break; ++ case 403: ++ fault_reason = "Forbidden"; ++ break; ++ case 404: ++ fault_reason = "Not found"; ++ break; ++ case 500: ++ fault_reason = "Internal Error"; ++ break; ++ case 501: ++ fault_reason = "Not implemented"; ++ break; ++ case 415: ++ fault_reason = "Unsupported Media Type"; ++ break; ++ default: ++ fault_reason = ""; ++ } + } + debug("Response status=%d (%s)", status, fault_reason); + diff --git a/openwsman-2.6.8-update-ssleay-conf.patch b/openwsman-2.6.8-update-ssleay-conf.patch new file mode 100644 index 0000000000000000000000000000000000000000..c312af514ad0c880d81fdedf51313de4a41893b6 --- /dev/null +++ b/openwsman-2.6.8-update-ssleay-conf.patch @@ -0,0 +1,12 @@ +diff -up openwsman-2.7.1/etc/ssleay.cnf.orig openwsman-2.7.1/etc/ssleay.cnf +--- openwsman-2.7.1/etc/ssleay.cnf.orig 2021-11-09 08:27:48.577749509 +0100 ++++ openwsman-2.7.1/etc/ssleay.cnf 2021-11-09 08:28:10.499967010 +0100 +@@ -3,7 +3,7 @@ + # + + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + diff --git a/openwsman.fc b/openwsman.fc new file mode 100644 index 0000000000000000000000000000000000000000..00d0643d9f83b22f6eafe7d6b81790678191bc2c --- /dev/null +++ b/openwsman.fc @@ -0,0 +1,7 @@ +/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0) + +/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0) + +/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0) + +/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0) diff --git a/openwsman.if b/openwsman.if new file mode 100644 index 0000000000000000000000000000000000000000..747853a1ac87bfacfe2c7cf1a410098bfc0e9d8f --- /dev/null +++ b/openwsman.if @@ -0,0 +1,79 @@ +## WS-Management Server + +######################################## +## +## Execute openwsman in the openwsman domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`openwsman_domtrans',` + gen_require(` + type openwsman_t, openwsman_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openwsman_exec_t, openwsman_t) +') +######################################## +## +## Execute openwsman server in the openwsman domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`openwsman_systemctl',` + gen_require(` + type openwsman_t; + type openwsman_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 openwsman_unit_file_t:file read_file_perms; + allow $1 openwsman_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, openwsman_t) +') + + +######################################## +## +## All of the rules required to administrate +## an openwsman environment +## +## +## +## Domain allowed access. +## +## +## +# +interface(`openwsman_admin',` + gen_require(` + type openwsman_t; + type openwsman_unit_file_t; + ') + + allow $1 openwsman_t:process { signal_perms }; + ps_process_pattern($1, openwsman_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 openwsman_t:process ptrace; + ') + + openwsman_systemctl($1) + admin_pattern($1, openwsman_unit_file_t) + allow $1 openwsman_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/openwsman.spec b/openwsman.spec new file mode 100644 index 0000000000000000000000000000000000000000..dd3aaca68ef9829d0d3f2081e8ebe244f2bc7ae7 --- /dev/null +++ b/openwsman.spec @@ -0,0 +1,418 @@ +%define anolis_release 1 +%global gem_name %{name} + +%global with_selinux 1 +%global selinuxtype targeted +%global modulename openwsman + +%global with_ruby 1 +%global with_perl 1 +%global with_python 1 + +Name: openwsman +Version: 2.7.2 +Release: %{anolis_release}%{?dist} +Summary: Open source Implementation of WS-Management + +License: BSD-3-Clause AND MIT +URL: http://www.openwsman.org/ +Source0: https://github.com/Openwsman/openwsman/archive/v%{version}.tar.gz +# help2man generated manpage for openwsmand binary +Source1: openwsmand.8.gz +# service file for systemd +Source2: openwsmand.service +# script for testing presence of the certificates in ExecStartPre +Source3: owsmantestcert.sh +# Source100-102: selinux policy for openwsman, extracted +# from https://github.com/fedora-selinux/selinux-policy +%if 0%{with_selinux} +Source100: %{modulename}.te +Source101: %{modulename}.if +Source102: %{modulename}.fc +%endif +Patch1: openwsman-2.4.0-pamsetup.patch +Patch2: openwsman-2.4.12-ruby-binding-build.patch +Patch3: openwsman-2.6.2-openssl-1.1-fix.patch +Patch4: openwsman-2.6.5-http-status-line.patch +Patch5: openwsman-2.6.8-update-ssleay-conf.patch +BuildRequires: make +BuildRequires: swig +BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel +%if %{with_python} +BuildRequires: python3 python3-devel +%endif +%if %{with_ruby} +BuildRequires: ruby ruby-devel rubygems-devel +%endif +%if %{with_perl} +BuildRequires: perl-interpreter perl-devel perl-generators +%endif +BuildRequires: pkgconfig openssl-devel +BuildRequires: cmake +BuildRequires: systemd-units +BuildRequires: gcc gcc-c++ + +%description +Openwsman is a project intended to provide an open-source +implementation of the Web Services Management specification +(WS-Management) and to expose system management information on the +Linux operating system using the WS-Management protocol. WS-Management +is based on a suite of web services specifications and usage +requirements that exposes a set of operations focused on and covers +all system management aspects. + +%package -n libwsman1 +License: BSD +Summary: Open source Implementation of WS-Management +Provides: %{name} = %{version}-%{release} +Obsoletes: %{name} < %{version}-%{release} + +%description -n libwsman1 +Openwsman library for packages dependent on openwsman. + +%package -n libwsman-devel +License: BSD +Summary: Open source Implementation of WS-Management +Provides: %{name}-devel = %{version}-%{release} +Obsoletes: %{name}-devel < %{version}-%{release} +Requires: libwsman1 = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: sblim-sfcc-devel libxml2-devel pam-devel +Requires: libcurl-devel + +%description -n libwsman-devel +Development files for openwsman. + +%package client +License: BSD +Summary: Openwsman Client libraries + +%description client +Openwsman Client libraries. + +%package server +License: BSD +Summary: Openwsman Server and service libraries +Requires: libwsman1 = %{version}-%{release} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%description server +Openwsman Server and service libraries. + +%if %{with_python} +%package python3 +License: BSD +Summary: Python bindings for openwsman client API +Requires: %{__python3} +Requires: libwsman1 = %{version}-%{release} +%{?python_provide:%python_provide python3-openwsman} + +%description python3 +This package provides Python3 bindings to access the openwsman client API. +%endif + +%if %{with_ruby} +%package -n rubygem-%{gem_name} +License: BSD +Summary: Ruby client bindings for Openwsman +Obsoletes: %{name}-ruby < %{version}-%{release} +Requires: libwsman1 = %{version}-%{release} + +%description -n rubygem-%{gem_name} +The openwsman gem provides a Ruby API to manage systems using +the WS-Management protocol. + +%package -n rubygem-%{gem_name}-doc +Summary: Documentation for %{name} +Requires: rubygem-%{gem_name} = %{version}-%{release} +BuildArch: noarch + +%description -n rubygem-%{gem_name}-doc +Documentation for rubygem-%{gem_name} +%endif + +%if %{with_perl} +%package perl +License: BSD +Summary: Perl bindings for openwsman client API +Requires: libwsman1 = %{version}-%{release} + +%description perl +This package provides Perl bindings to access the openwsman client API. +%endif + +%package winrs +Summary: Windows Remote Shell +Requires: rubygem-%{gem_name} = %{version}-%{release} + +%description winrs +This is a command line tool for the Windows Remote Shell protocol. +You can use it to send shell commands to a remote Windows hosts. + +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: openwsman SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + +%package doc +Summary: Doc files for %{name} +Requires: %{name} = %{EVR} +BuildArch: noarch + +%description doc +Doc files for %{name} + +%prep +%autosetup -p1 + +%build +# Removing executable permissions on .c and .h files to fix rpmlint warnings. +chmod -x src/cpp/WsmanClient.h + +rm -rf build +mkdir build + +export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -DFEDORA -DNO_SSL_CALLBACK" +export CFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now" +export CXXFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now" +cd build +cmake \ + -DCMAKE_INSTALL_PREFIX=%{_prefix} \ + -DCMAKE_VERBOSE_MAKEFILE=TRUE \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_C_FLAGS_RELEASE:STRING="$RPM_OPT_FLAGS -fno-strict-aliasing" \ + -DCMAKE_CXX_FLAGS_RELEASE:STRING="$RPM_OPT_FLAGS" \ + -DCMAKE_SKIP_RPATH=1 \ + -DPACKAGE_ARCHITECTURE=`uname -m` \ + -DLIB=%{_lib} \ + -DBUILD_JAVA=no \ + -DBUILD_PYTHON=no \ +%if ! %{with_python} + -DBUILD_PYTHON3=no \ +%endif +%if ! %{with_perl} + -DBUILD_PERL=no \ +%endif +%if ! %{with_ruby} + -DBUILD_RUBY=no \ +%endif + .. + +make + +%if %{with_ruby} +# Make the freshly build openwsman libraries available to build the gem's +# binary extension. +export LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib +export CPATH=%{_builddir}/%{name}-%{version}/include/ +export LD_LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib/ + +%gem_install -n ./bindings/ruby/%{name}-%{version}.gem +%endif + +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/ +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp +%endif + +%install +cd build + +%if %{with_ruby} +# Do not install the ruby extension, we are proviging the rubygem- instead. +echo -n > bindings/ruby/cmake_install.cmake +%endif + +%make_install +cd .. +rm -f %{buildroot}/%{_libdir}/*.la +rm -f %{buildroot}/%{_libdir}/openwsman/plugins/*.la +rm -f %{buildroot}/%{_libdir}/openwsman/authenticators/*.la +%if %{with_ruby} +[ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsmanplugin.rb +[ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsman.rb +%endif +mkdir -p %{buildroot}%{_sysconfdir}/init.d +install -m 644 etc/openwsman.conf %{buildroot}/%{_sysconfdir}/openwsman +install -m 644 etc/openwsman_client.conf %{buildroot}/%{_sysconfdir}/openwsman +mkdir -p %{buildroot}/%{_unitdir} +install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}/openwsmand.service +install -m 644 etc/ssleay.cnf %{buildroot}/%{_sysconfdir}/openwsman +install -p -m 755 %{SOURCE3} %{buildroot}/%{_sysconfdir}/openwsman +# install manpage +mkdir -p %{buildroot}/%{_mandir}/man8/ +cp %SOURCE1 %{buildroot}/%{_mandir}/man8/ +# install missing headers +install -m 644 include/wsman-xml.h %{buildroot}/%{_includedir}/openwsman +install -m 644 include/wsman-xml-binding.h %{buildroot}/%{_includedir}/openwsman +install -m 644 include/wsman-dispatcher.h %{buildroot}/%{_includedir}/openwsman + +%if %{with_ruby} +mkdir -p %{buildroot}%{gem_dir} +cp -pa ./build%{gem_dir}/* \ + %{buildroot}%{gem_dir}/ + +rm -rf %{buildroot}%{gem_instdir}/ext + +mkdir -p %{buildroot}%{gem_extdir_mri} +cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdir_mri}/ +%endif + +%if 0%{?with_selinux} +install -D -m 0644 build/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +install -D -p -m 0644 build/selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + +%generate_compatibility_deps + +%post server +%systemd_post openwsmand.service + +%preun server +%systemd_preun openwsmand.service + +%postun server +rm -f /var/log/wsmand.log +%systemd_postun_with_restart openwsmand.service + +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # the service needs to be restarted for the custom label to be applied + %systemd_postun_with_restart openwsmand.service +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + +%files -n libwsman1 +%license COPYING +%{_libdir}/libwsman.so.* +%{_libdir}/libwsman_client.so.* +%{_libdir}/libwsman_curl_client_transport.so.* +%dir %{abidir} +%{abidir}/libwsman.dump +%{abidir}/libwsman_client.dump +%{abidir}/libwsman_curl_client_transport.dump + +%files -n libwsman-devel +%license COPYING +%{_includedir}/* +%{_libdir}/pkgconfig/* +%{_libdir}/*.so + +%if %{with_python} +%files python3 +%license COPYING +%{python3_sitearch}/*.so +%{python3_sitearch}/*.py +%{python3_sitearch}/__pycache__/* +%{abidir}/_pywsman.dump +%endif + +%if %{with_ruby} +%files -n rubygem-%{gem_name} +%license COPYING +%dir %{gem_instdir} +%{gem_libdir} +%{gem_extdir_mri} +%exclude %{gem_cache} +%{gem_spec} +%{abidir}/libwsman_ruby_plugin.dump +%{abidir}/_openwsman.dump +%endif + +%if %{with_ruby} +%files -n rubygem-%{gem_name}-doc +%doc %{gem_docdir} +%endif + +%if %{with_perl} +%files perl +%license COPYING +%{perl_vendorarch}/openwsman.so +%{perl_vendorlib}/openwsman.pm +%{abidir}/openwsman.dump +%endif + +%files server +%license COPYING +# Don't remove *.so files from the server package. +# the server fails to start without these files. +%dir %{_sysconfdir}/openwsman +%config(noreplace) %{_sysconfdir}/openwsman/openwsman.conf +%config(noreplace) %{_sysconfdir}/openwsman/ssleay.cnf +%attr(0755,root,root) %{_sysconfdir}/openwsman/owsmangencert.sh +%attr(0755,root,root) %{_sysconfdir}/openwsman/owsmantestcert.sh +%config(noreplace) %{_sysconfdir}/pam.d/openwsman +%{_unitdir}/openwsmand.service +%dir %{_libdir}/openwsman +%dir %{_libdir}/openwsman/authenticators +%{_libdir}/openwsman/authenticators/*.so +%{_libdir}/openwsman/authenticators/*.so.* +%dir %{_libdir}/openwsman/plugins +%{_libdir}/openwsman/plugins/*.so +%{_libdir}/openwsman/plugins/*.so.* +%{_sbindir}/openwsmand +%{_libdir}/libwsman_server.so.* +%{_mandir}/man8/* +%{abidir}/libwsman_server.dump +%{abidir}/libredirect.dump +%{abidir}/libwsman_cim_plugin.dump +%{abidir}/libwsman_file_auth.dump +%{abidir}/libwsman_identify_plugin.dump +%{abidir}/libwsman_pam_auth.dump +%{abidir}/libwsman_test.dump + +%files client +%license COPYING +%{_libdir}/libwsman_clientpp.so.* +%config(noreplace) %{_sysconfdir}/openwsman/openwsman_client.conf +%{abidir}/libwsman_clientpp.dump + +%files winrs +%{_bindir}/winrs + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + +%files doc +%doc AUTHORS ChangeLog README.md + +%changelog +* Sat Mar 25 2023 Chunmei Xu - 2.7.2-1 +- init from upstream diff --git a/openwsman.te b/openwsman.te new file mode 100644 index 0000000000000000000000000000000000000000..e00816c9cff2bfab62bec4bb51350539fed67a51 --- /dev/null +++ b/openwsman.te @@ -0,0 +1,74 @@ +policy_module(openwsman, 1.0.0) + +######################################## +# +# Declarations +# + +type openwsman_t; +type openwsman_exec_t; +init_daemon_domain(openwsman_t, openwsman_exec_t) + +type openwsman_tmp_t; +files_tmp_file(openwsman_tmp_t) + +type openwsman_tmpfs_t; +files_tmpfs_file(openwsman_tmpfs_t) + +type openwsman_log_t; +logging_log_file(openwsman_log_t) + +type openwsman_run_t; +files_pid_file(openwsman_run_t) + +type openwsman_unit_file_t; +systemd_unit_file(openwsman_unit_file_t) + +######################################## +# +# openwsman local policy +# + +allow openwsman_t self:capability setuid; + +allow openwsman_t self:process { fork }; +allow openwsman_t self:fifo_file rw_fifo_file_perms; +allow openwsman_t self:unix_stream_socket create_stream_socket_perms; +allow openwsman_t self:tcp_socket { accept create_socket_perms listen }; + +manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) +logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) + +manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t) +files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) + +auth_use_nsswitch(openwsman_t) +auth_domtrans_chkpwd(openwsman_t) + +corenet_tcp_connect_pegasus_https_port(openwsman_t) +corenet_tcp_bind_vnc_port(openwsman_t) +corenet_tcp_bind_http_port(openwsman_t) + +dev_read_urand(openwsman_t) + +logging_send_syslog_msg(openwsman_t) +logging_send_audit_msgs(openwsman_t) + +optional_policy(` + sblim_stream_connect_sfcbd(openwsman_t) + sblim_rw_semaphores_sfcbd(openwsman_t) + sblim_getattr_exec_sfcbd(openwsman_t) +') + +optional_policy(` + unconfined_domain(openwsman_t) +') + diff --git a/openwsmand.8.gz b/openwsmand.8.gz new file mode 100644 index 0000000000000000000000000000000000000000..2b86ec133fa723940fab68e03cdcf3453a304b90 Binary files /dev/null and b/openwsmand.8.gz differ diff --git a/openwsmand.service b/openwsmand.service new file mode 100644 index 0000000000000000000000000000000000000000..e10c75dfb92986227cd05b07b6c586b229a76635 --- /dev/null +++ b/openwsmand.service @@ -0,0 +1,12 @@ +[Unit] +Description=Openwsman WS-Management Service +After=syslog.target + +[Service] +Type=forking +ExecStart=/usr/sbin/openwsmand -S +ExecStartPre=/etc/openwsman/owsmantestcert.sh +PIDFile=/var/run/wsmand.pid + +[Install] +WantedBy=multi-user.target diff --git a/owsmantestcert.sh b/owsmantestcert.sh new file mode 100644 index 0000000000000000000000000000000000000000..8918f413d226d19f5012422d4b98f4f1249879ec --- /dev/null +++ b/owsmantestcert.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ ! -f "/etc/openwsman/serverkey.pem" ]; then + if [ -f "/etc/ssl/servercerts/servercert.pem" \ + -a -f "/etc/ssl/servercerts/serverkey.pem" ]; then + echo "Using common server certificate /etc/ssl/servercerts/servercert.pem" + ln -s /etc/ssl/servercerts/server{cert,key}.pem /etc/openwsman + exit 0 + else + echo "FAILED: Starting openwsman server" + echo "There is no ssl server key available for openwsman server to use." + echo -e "Please generate one with the following script and start the openwsman service again:\n" + echo "##################################" + echo "/etc/openwsman/owsmangencert.sh" + echo "=================================" + + echo "NOTE: The script uses /dev/random device for generating some random bits while generating the server key." + echo " If this takes too long, you can replace the value of \"RANDFILE\" in /etc/openwsman/ssleay.cnf with /dev/urandom. Please understand the implications of replacing the RNADFILE." + exit 1 + fi +fi diff --git a/v2.7.2.tar.gz b/v2.7.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..917775ae420b740bc4710f56eedad22f172296a6 Binary files /dev/null and b/v2.7.2.tar.gz differ