# NOTE: this rpm probably cant be built under mock any more due to more rigerous checks on macros

%define 	chpax_ver	0.7
%define 	paxctl_ver	0.9
%define 	with_nptl 	0



Summary:	Userspace ACL parsing and authentication for grsecurity
Name: gradm
Version: 3.1
Release: 46
License:	GPL
Group:		System/Base
URL:		http://www.grsecurity.net/
Source0:	https://grsecurity.net/stable/gradm-3.1-201701031918.tar.gz
Source1:	chpax-%{chpax_ver}.tar.gz
Source2:	nptl.sh
Source3:	paxctl-%{paxctl_ver}.tar.gz
Patch0:		Makefile-2.2.1-x86_64.patch
Patch1:		learn_config.patch
BuildRoot:	%{_tmppath}/%{name}-buildroot
BuildRequires:	binutils flex findutils byacc bison pam-devel, pam
#Requires: 	paxctl
Requires:	prelink
# For setfattr support
#  setfattr -n user.pax.flags -v "me" /path/to/binary will turn off MPROTECT and EMUTRAMP
# (EMUTRAMP has to be added because PT_PAX_FLAGS disables it by default too and the two markings must enable/disable the same PaX features
Requires:	setfattr

%if 0%{?fc15}
BuildRequires: flex-static
%endif

%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: flex-devel
%endif


%description
grsecurity aims to be a complete security system for Linux.
gradm performs several tasks for the ACL system including authen-
ticated via a password to the kernel and parsing ACLs to be
passed to the kernel.

%prep
%setup -q -n %{name} 
%setup -q -n %{name}  -D -T -a 1
%setup -q -n %{name}  -D -T -a 3

#%patch0 -p1
#%patch1 -p0



%build
%ifarch x86_64
export OPT_FLAGS="-O2 -m64"
%else
export OPT_FLAGS="-O2"
%endif
%{__make} 
cd chpax-%{chpax_ver} 
  %{__make} 
cd ..

cd paxctl-%{paxctl_ver}
  %{__make}
cd ..

%install
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
# not rpm friendly, does mknod, etc
#make DESTDIR="%{buildroot}" install
%{__mkdir_p}  %{buildroot}%{_sysconfdir}/grsec
%{__install} -D -m 0640 learn_config %{buildroot}%{_sysconfdir}/grsec/learn_config
%{__install} -D -m 0640 policy %{buildroot}%{_sysconfdir}/grsec/policy
%{__install} -D -m 0700 gradm %{buildroot}/sbin/gradm
%{__install} -D -m 0700 gradm_pam %{buildroot}/sbin/gradm_pam
%{__install} -D -m 0700 grlearn %{buildroot}/sbin/grlearn
%{__install} -D -m 0644 gradm.8 %{buildroot}%{_mandir}/man8/gradm.8


cd chpax-%{chpax_ver} 
  %{__make} DESTDIR="%{buildroot}" install 
cd ..

%{__install} -D -m 0700 paxctl-%{paxctl_ver}/paxctl %{buildroot}/sbin/paxctl
%{__install} -D -m 0644 paxctl-%{paxctl_ver}/paxctl.1 %{buildroot}/%{_mandir}/man1/paxctl.1


%if %{with_nptl}
%{__mkdir_p} %{buildroot}%{_sysconfdir}/profile.d/
install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/nptl.sh
%endif


%clean
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}

# this is a rearchitecture for GID's due to some overlap that occurred because of plesk
%triggerin -- kernel-asl
#
#/usr/sbin/groupmod -g 301 procread || :
/usr/sbin/groupmod -g 302 client || :
/usr/sbin/groupmod -g 303 server || :
/usr/sbin/groupmod -g 304 socket || :
/usr/sbin/groupmod -g 305 untrusted || :
/usr/sbin/groupmod -g 306 trusted || :
/usr/sbin/groupmod -g 307 execlog || :
/usr/sbin/groupmod -g 308 symlink || :

%triggerin -- virgild
if [ -f /usr/bin/virgild ]; then
	/usr/bin/setfattr -n user.pax.flags -v "pm" /usr/bin/virgild
fi

%triggerin --  plesk-letsencrypt-pre
# For globbing, fortunately there is also a symlink we can follow
#if compgen -G "/usr/local/psa/var/modules/letsencrypt/venv*/bin" >/dev/null ; then
if [ -f  /usr/local/psa/var/modules/letsencrypt/venv/bin/python ]; then
	paxctl -cm /usr/local/psa/var/modules/letsencrypt/venv/bin/python >/dev/null 2>&1 || :
	
fi
# May not be needed
## Plesk adm user cant be untrusted since the letsencrypt package has psaadm permissions
#if groups psaadm | grep -qv untrusted; then
#	/usr/bin/gpasswd -d psaadm untrusted
#fi


%triggerin -- asl-web
if groups tortix |grep -qv procread; then
	/usr/sbin/usermod -a -G procread tortix
fi


# fix permissions on psa bin dir
%triggerin -- psa
if [ -d /usr/local/psa/bin ]; then
  chown root.root /usr/local/psa/bin
fi

if [ -d /usr/local/psa/bin ]; then
  chown root.root /usr/local/psa/bin
fi

if [ -f /usr/local/psa/bin/chrootsh ]; then
  chown root.root /usr/local/psa/bin/chrootsh
  chmod 4755 /usr/local/psa/bin/chrootsh
fi

# Plesk 9 fixup
if  grep -q sw-cp-server /etc/passwd; then
  
  if groups sw-cp-server | grep -qv procread; then
    # Maybe not needed
    /usr/sbin/usermod -G procread`groups sw-cp-server |\
	 awk -F: '{print $2}' |sed 's/ /,/g'` sw-cp-server
  fi

  if groups psaadm | grep -qv procread; then
    # There are 2 auth systems in plesk. This is used if sw-sso isnt installed
    /usr/sbin/usermod -G procread`groups psaadm |\
	 awk -F: '{print $2}' |sed 's/ /,/g'` psaadm
  fi
fi

%triggerin -- sw-sso
if groups sso |grep -qv procread; then
  /usr/sbin/usermod -G procread`groups sso |\
	 awk -F: '{print $2}' |sed 's/ /,/g'` sso
fi


# fix beeencrypt stack execution
%triggerin -- beecrypt
if [ -x /usr/bin/execstack ]; then
  if [ -f /usr/lib/libbeecrypt.so.*.*.* ]; then
    execstack -c /usr/lib/libbeecrypt.so.*.*.*
  fi
  if [ -f /usr/lib64/libbeecrypt.so.*.*.* ]; then
    execstack -c /usr/lib64/libbeecrypt.so.*.*.*
  fi
fi

# fix stack execution on mysql on 2.6 kernels
%triggerin -- mysql
if [ -x /usr/bin/execstack ]; then
  find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
  if [ -d /usr/lib64 ]; then
    find /usr/lib64 -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
  fi
  #execstack -c /usr/lib/mysql/*so*  1>/dev/null 2>&1
  #execstack -c /usr/lib/libmysqlclient*  1>/dev/null 2>&1
fi

# CentOS4/RHEL4 has a problem with bdb in mysql
#%{?el4:if ! grep -q "^skip-bdb" /etc/my.cnf; then }
#%{?el4:  sed -e 's/\[mysqld\]/\[mysqld\]\nskip-bdb/' /etc/my.cnf > /etc/my.cnf.atomicorp }
#%{?el4:  mv -f /etc/my.cnf.atomicorp /etc/my.cnf }
#%{?el4:fi }


%triggerin -- mysql-compat
if [ -x /usr/bin/execstack ]; then
  find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
  if [ -d /usr/lib64 ]; then
    find /usr/lib64 -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1
  fi
  #  execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1
  #  execstack -c /usr/lib/libmysqlclient.so.10.0.0 1>/dev/null 2>&1
fi

# Fix frontpage perms
%triggerin -- frontpage
if [ -d /usr/local/frontpage ]; then
  # fix for people tricked into using cpanel
  if [ -f /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe ]; then
    chattr -i /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe
  fi
  chown -R root.root /usr/local/frontpage/version*/*

  
fi

# Fix courier-imap perms
%triggerin -- courier-imap
if [ -d /usr/lib/courier-imap ]; then
  chown -R root.root /usr/lib/courier-imap
fi

%triggerin -- courier-authlib
if [ -d /usr/lib/courier-authlib ]; then
  chown -R root.root /usr/lib/courier-authlib
fi

# Fix mailman perms
%triggerin -- mailman
if [ -d /usr/lib/mailman/cgi-bin ];then
  chown root.root /usr/lib/mailman
  chown root.root /usr/lib/mailman/cgi-bin
  chown root.root /usr/lib/mailman/cron
  chown -R root.root /usr/lib/mailman/pythonlib
  chmod 755 /usr/lib/mailman/cgi-bin
  chmod 755 /usr/lib/mailman/cron
  chmod 755 /usr/lib/mailman/mail
  chmod -R 755 /usr/lib/mailman/pythonlib
fi
if [ -d /var/mailman/cgi-bin ];then
  chown root.root /var/mailman
  chown root.root /var/mailman
  chown root.root /var/mailman/cgi-bin
  chown root.root /var/mailman/cron
  chmod 755 /var/mailman/cgi-bin
  chmod 755 /var/mailman/cron
  chmod 755 /var/mailman/mail
fi


# Fix php-xslt
%triggerin -- php-xslt
if [ -f /usr/lib/php4/xslt.so ]; then
  if [ -x /usr/bin/execstack ]; then 
    execstack -c /usr/lib/php4/xslt.so
  fi
fi

# Fix for clamd
%triggerin -- clamd
	service clamd stop >/dev/null 2>&1 || :
  # kill the hell out of clamd
  running=0
  while [ $running -lt 60 ]; do
    # look for it
    /sbin/pidof -s clamd > /dev/null || running=60
    # wait
    sleep 1
    running=`expr $running + 1`
    if [ $running -ge 30 ]; then
      /usr/bin/killall -9 clamd >/dev/null 2>&1
    fi
  done
/usr/bin/killall -9 clamd >/dev/null 2>&1
/sbin/paxctl -cm /usr/sbin/clamd || :
if [ -f /usr/bin/clamscan ]; then
	/sbin/paxctl -cm /usr/bin/clamscan || :

fi
if [ -f  /usr/bin/freshclam  ]; then
	/sbin/paxctl -cm /usr/bin/freshclam  || :
fi
service clamd start || :

# Fix X
%triggerin -- XFree86
if [ -f /usr/X11R6/bin/XFree86 ]; then
	/sbin/paxctl  -cemsrpx /usr/X11R6/bin/XFree86 || :

fi 

# Plesk PAM rpm
%triggerin -- psa-libpam-plesk
if [ -f /lib/security/pam_plesk.so ]; then
  execstack -c  /lib/security/pam_plesk.so
fi


%triggerin -- plesk-php71-fpm
if [ -f /opt/plesk/php/7.1/sbin/php-fpm ]; then
	service  plesk-php71-fpm stop >/dev/null 2>&1 || : 
	/sbin/paxctl -cm /opt/plesk/php/7.1/sbin/php-fpm >/dev/null 2>&1 || :
	service  plesk-php71-fpm start >/dev/null 2>&1 || :
fi

%triggerin -- plesk-php70-fpm
if [ -f /opt/plesk/php/7.0/sbin/php-fpm ]; then
	service  plesk-php70-fpm stop >/dev/null 2>&1 || : 
	/sbin/paxctl -cm /opt/plesk/php/7.0/sbin/php-fpm >/dev/null 2>&1 || :
	service  plesk-php70-fpm start >/dev/null 2>&1 || : 
fi

%triggerin --  plesk-php71-cli
if [ -f /opt/plesk/php/7.1/bin/php ]; then
	/sbin/paxctl -cm /opt/plesk/php/7.1/bin/php >/dev/null 2>&1 || :
fi

if [ -f /opt/plesk/php/7.1/bin/php-cgi ]; then
	killall -9 php-cgi >/dev/null 2>&1 || :
	/sbin/paxctl -cm /opt/plesk/php/7.1/bin/php-cgi >/dev/null 2>&1 || :
	
fi

%triggerin --  plesk-php70-cli
if [ -f /opt/plesk/php/7.0/bin/php ]; then
	/sbin/paxctl -cm /opt/plesk/php/7.0/bin/php >/dev/null 2>&1 || :
fi

if [ -f /opt/plesk/php/7.0/bin/php-cgi ]; then
	killall -9 php-cgi >/dev/null 2>&1 || :
	/sbin/paxctl -cm /opt/plesk/php/7.0/bin/php-cgi >/dev/null 2>&1 || :
fi

%triggerin --  ea-php70-php-litespeed
if [ -f /opt/cpanel/ea-php70/root/usr/bin/lsphp ]; then
	killall -9 lsphp >/dev/null 2>&1
	/sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/lsphp
fi

%triggerin --  ea-php70-php-cli
if [ -f /opt/cpanel/ea-php70/root/usr/bin/php ]; then
	killall -9 php >/dev/null 2>&1
	/sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php
fi

%triggerin --  ea-php70-php-fpm
if [ -f /opt/cpanel/ea-php70/root/usr/bin/php-fpm ]; then
        killall -9 php-fpm >/dev/null 2>&1
        /sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php-fpm || :
	service ea-php70-php-fpm restart || :
fi

%triggerin --  ea-php71-php-fpm
if [ -f /opt/cpanel/ea-php71/root/usr/bin/php-fpm ]; then
        killall -9 php-fpm >/dev/null 2>&1
        /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php-fpm || :
	service ea-php71-php-fpm restart || :
fi

if [ -f /opt/cpanel/ea-php70/root/usr/bin/php-cgi ]; then
	killall -9 php-cgi >/dev/null 2>&1
	/sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php-cgi
fi

%triggerin --  ea-php71-php-litespeed
if [ -f /opt/cpanel/ea-php71/root/usr/bin/lsphp ]; then
        killall -9 lsphp >/dev/null 2>&1
        /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/lsphp
fi

%triggerin --  ea-php71-php-cli
if [ -f /opt/cpanel/ea-php71/root/usr/bin/php ]; then
        killall -9 php >/dev/null 2>&1
        /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php
fi

if [ -f /opt/cpanel/ea-php71/root/usr/bin/php-cgi ]; then
        killall -9 php-cgi >/dev/null 2>&1
        /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php-cgi
fi



%triggerin --  kerio-connect
if [ -d /opt/kerio/mailserver/ ]; then
  find /opt/kerio/ -name libkt*so -exec execstack -c {} \;
	
fi

if [ -f /opt/kerio/mailserver/javaservices/jre/bin/java ]; then
	paxctl -mps /opt/kerio/mailserver/javaservices/jre/bin/java
fi


%triggerin -- nodejs
if [ -f /usr/bin/node ]; then
	/usr/bin/killall -9 node >/dev/null 2>&1 || :
	/sbin/paxctl  -cm /usr/bin/node || :
fi


%triggerin -- easy-jakarta-commons-daemon easy-jakarta-commons-daemon-jsvc
if [ -f /usr/local/easy/bin/jsvc ]; then
	/usr/bin/killall -9 jsvc >/dev/null 2>&1 || :
	/sbin/paxctl  -cm /usr/local/easy/bin/jsvc || :

fi

%triggerin -- erlang erlang-erts
if [ -f /usr/*/erlang/erts-*/bin/beam.smp ]; then
	/usr/bin/execstack -c  /usr/*/erlang/erts-*/bin/beam.smp

fi

%triggerin -- r1soft-cdp-async-agent-2-6 serverbackup-async-agent-2-6
if [ -f /usr/sbin/r1soft/bin/2-6/cdp-2-6 ]; then
	/usr/bin/killall -9 cdp-2-6 >/dev/null 2>&1
	/sbin/paxctl  -cm  /usr/sbin/r1soft/bin/2-6/cdp-2-6 || :
fi

if [ -f /usr/sbin/r1soft/bin/cdp ]; then
	/usr/bin/killall -9  cdp >/dev/null 2>&1
	/sbin/paxctl -cm /usr/sbin/r1soft/bin/cdp || :
fi

if [ -f /usr/sbin/r1soft/bin/cdpserver ]; then
	/sbin/paxctl -cm /usr/sbin/r1soft/bin/cdpserver  || :
fi

# Interworx
%triggerin -- interworx
if [ -f /home/interworx/ioncube/ioncube_loader_lin_5.2.so ]; then
	/usr/bin/execstack -c /home/interworx/ioncube/ioncube_loader_lin_5.2.so
fi 

# Tivoli
%triggerin -- TIVsm-BA
if [ -f /opt/tivoli/tsm/client/ba/bin/dsmc ]; then
	paxctl -cm /opt/tivoli/tsm/client/ba/bin/dsmc
fi

# HavP
%triggerin -- havp
if [ -f /usr/sbin/havp ]; then
	paxctl -cm /usr/sbin/havp
fi

# Grub
%triggerin -- grub
if [ -f /sbin/grub ]; then
	/sbin/paxctl -cm /sbin/grub || :
fi

# Splunk
# Seriously guys???
%triggerin -- splunk
execstack -c /opt/splunk/lib/libcrypto.so.*

# Dells smbios-utils-python
%triggerin -- smbios-utils-python
if [ -f /usr/lib*/python*/site-packages/_ctypes.so ]; then
	execstack -c /usr/lib*/python*/site-packages/_ctypes.so
fi

# Dell Open Manage
#%triggerin -- srvadmin-hapi
#
#%triggerin -- srvadmin-deng

# perl-Math-Pari
%triggerin -- perl-Math-pari
execstack -c /usr/lib/perl5/vendor_perl/*/*/auto/Math/Pari/Pari.so


# mplayer
%triggerin -- mplayer
if [ -f /usr/bin/mplayer ]; then
  execstack -c /usr/bin/mplayer
fi

# psa-miva needs mprotect
%triggerin -- psa-miva
if [ -f /usr/bin/mivavm ]; then
	/sbin/paxctl -cm /usr/bin/mivavm || :
fi

# expand needs execstack cleared
%triggerin -- expand
if [ -f /usr/lib/libxerces-c.so.25.o ]; then
  execstack -c /usr/lib/libxerces-c.so.25*
fi

# sitebuilder-core needs exec stack
%triggerin -- sitebuilder-core
if [ -x /usr/bin/execstack ]; then
  if [ -f /usr/lib/php4/sitebuilder.so ]; then
    execstack -c /usr/lib/php4/sitebuilder.so
  fi
  if [ -f /usr/lib/php5/sitebuilder.so ]; then
    execstack -c /usr/lib/php5/sitebuilder.so
  fi
  if [ -f /usr/lib/php/sitebuilder.so ]; then
    execstack -c /usr/lib/php/sitebuilder.so
  fi
  if [ -f /opt/php51/lib/php5/extensions/sitebuilder3.so ]; then
    execstack -c /opt/php51/lib/php5/extensions/sitebuilder3.so
  fi
  # final catchalls
  find /opt -name sitebuilder*so -exec execstack -c {} \;
  find /usr/lib -name sitebuilder*so -exec execstack -c {} \;
fi

# php-ioncube-loader
%triggerin -- php-ioncube-loader php5-ioncube-loader php5-ioncube php-ioncube ioncube
if [ -x /usr/bin/execstack ]; then
  if [ -d /usr/lib/php ]; then
    find /usr/lib/php -name \*ioncube* -exec execstack -c {} \;  1>/dev/null 2>&1
  fi
  if [ -d /usr/lib64/php ]; then
    find /usr/lib64/ -name \*ioncube* -exec execstack -c {} \;  1>/dev/null 2>&1
  fi
  if [ -f /opt/php51/lib/php5/ioncube_loader_lin_5.1.so ]; then
    find /opt/php51/lib/ -name \*ioncube* -exec execstack -c {} \;  1>/dev/null 2>&1
  fi
fi


# drweb needs mprotect()
%triggerin -- drweb-daemon 
if [ -f /opt/drweb/drwebd ]; then
  service drwebd stop 1> /dev/null 2>&1

  if [ -f /opt/drweb/drweb.real ]; then
    PROCESS=drweb.real
  else
    PROCESS=drweb
  fi

  # kill the hell out of drweb
  running=0
  while [ $running -lt 60 ]; do
    # look for it
    /sbin/pidof -s $PROCESS > /dev/null || running=60
    # wait
    sleep 1
    running=`expr $running + 1`
    if [ $running -ge 30 ]; then
      /usr/bin/killall -9 $PROCESS >/dev/null 2>&1
    fi
  done


  if [ -f /opt/drweb/drwebd ] && [ ! -h /opt/drweb/drwebd ]; then
	/sbin/paxctl -cm /opt/drweb/drwebd || :
  fi

  if [ -f /opt/drweb/drwebd.real ] ; then
    	/usr/bin/killall -9 drweb.real 2>/dev/null || :
	/sbin/paxctl -cm /opt/drweb/drwebd.real 2>/dev/null || :

  fi

  service drwebd start 1> /dev/null 2>&1

fi


# Java
%triggerin -- j2sdk java-1.4.2-sun java-1.4.2-gcj-compat  java-1.4.2-sun-devel libgcj VMware-server jre jdk zimbra-core r1soft-cdp-server java-1.7.0-openjdk easy-tomcat7-lib easy-tomcat8-lib java-1.6.0-openjdk jre1.8.0_77 java-1.8.0-openjdk-headless java-1.8.0-openjdk
killall -9 java >/dev/null 2>&1

if [ -d /usr/java ]; then
  find /usr/java -name java -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || :
  find /usr/java -name javac -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || :
fi

if [ -d /usr/lib/jvm ]; then
  find /usr/lib/jvm -name java -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || :
  find /usr/lib/jvm -name javac -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || :
fi

if [ -f /usr/bin/gij ]; then
  /sbin/paxctl -cemsrpx /usr/bin/gij || :
fi

if [ -f /usr/bin/gcj-dbtool ]; then
  /sbin/paxctl -cemsrpx /usr/bin/gcj-dbtool || :
fi

if [ -d /usr/lib/vmware/webAccess ]; then
  find /usr/lib/vmware/webAccess -name webAccess -type f -exec /sbin/paxctl -cemsrpx  {} \; >/dev/null 2>&1 ||:
  find /usr/lib/vmware/webAccess -name java -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || :
fi

# Zimbra
if [ -d  /opt/zimbra/ ]; then
  find /opt/zimbra/ -name java -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || :
  find /opt/zimbra/ -name javac -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || :
fi

#VMware-server

# R1soft
if [ -f /usr/sbin/r1soft/jre/bin/java ]; then
  /sbin/paxctl -cemsrpx /usr/sbin/r1soft/jre/bin/java >/dev/null 2>&1 || :
	
fi

if [ -f /usr/sbin/r1soft/bin/cdpserver ]; then
	/sbin/paxctl -cm /usr/sbin/r1soft/bin/cdpserver 
fi


# /dev/ptmx check trigger for CentOS v4.x.  Ew.
%triggerin -- kernel
if [ ! -c /dev/ptmx ]; then
	/bin/mknod -m 0666 /dev/ptmx c 5 2
	chown root.tty /dev/ptmx
fi

# untrusted users trigger
# Note that this might cause "Trigger fired by the same package is already defined in spec file" because
# we use triggers on more than one named package in this list
%triggerin -- httpd snort mailman gdm mysql-server postgres qmail psa-qmail psa openssh 

USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc"


for i in $USERS; do
  if grep -q ^$i: /etc/passwd; then
    if groups $i |grep -qv untrusted; then
	/usr/sbin/usermod -a -G untrusted $i
    fi
  fi
done



%post
if [ -e /dev/grsec ]; then
  rm -f /dev/grsec
  /bin/mknod -m 0622 /dev/grsec c 1 13
else
  /bin/mknod -m 0622 /dev/grsec c 1 13
fi 

# create the ASL user groups
if ! grep -q "^symlink" /etc/group; then
        /usr/sbin/groupadd -g 308 -r -f symlink
fi

if ! grep -q "^execlog" /etc/group; then
        /usr/sbin/groupadd -g 307 -r -f execlog
fi

if ! grep -q "^trusted" /etc/group; then
        /usr/sbin/groupadd -g 306 -r -f trusted
fi

if ! grep -q "^untrusted:" /etc/group; then
        /usr/sbin/groupadd -g 305 -r -f untrusted
fi

if ! grep -q "^socket:" /etc/group; then
        /usr/sbin/groupadd -g 304 -r -f socket
fi

if ! grep -q "^server:" /etc/group; then
        /usr/sbin/groupadd -g 303 -r -f server
fi

if ! grep -q "^client:" /etc/group; then
        /usr/sbin/groupadd -g 302 -r -f client
fi

if ! grep -q "^procread:" /etc/group; then
	/usr/sbin/groupadd -g 301 -r -f procread
fi


# switch SELinux into warn mode if it is enabled
# currently disabling selinux from the kernel rpm in grub.conf
if [ -f /etc/sysconfig/selinux ]; then
  if grep -q ^SELINUX=enforcing /etc/sysconfig/selinux; then
    sed -i s/^SELINUX=enforcing/SELINUX=permissive/ /etc/sysconfig/selinux  > /etc/sysconfig/selinux
  fi  
fi

# Ioncube fix
if [ -d /usr/local/ioncube ]; then
  find /usr/local/ioncube -name \*so -exec execstack -c  {} \;  >/dev/null 2>&1
fi


# hwcap change. This is needed with newer 2.6.32 kernels, if 2 .confs have conflicting settings ldconfig will break
if grep --silent '^hwcap 0 nosegneg$' /etc/ld.so.conf.d/kernel*.conf 2> /dev/null; then
  sed -i '/^hwcap 0 nosegneg$/ s/0/1/' /etc/ld.so.conf.d/kernel*.conf
fi

if [ -f /usr/bin/java ]; then
	/sbin/paxctl -cmps /usr/bin/java || :
fi

       

%files
%defattr(-,root,root)
%dir %{_sysconfdir}/grsec
%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/learn_config
%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/policy
%attr(0754,root,root) /sbin/%{name}
%attr(0754,root,root) /sbin/grlearn
%attr(0754,root,root) /sbin/chpax
%attr(0754,root,root) /sbin/paxctl
#%{?rh90: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhfc1: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhfc2: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhfc3: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhfc4: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhel3: %attr(0754,root,root) /sbin/gradm_pam} 
#%{?rhel4: %attr(0754,root,root) /sbin/gradm_pam} 
%attr(0754,root,root) /sbin/gradm_pam
%attr(0644,root,root) %{_mandir}/man8/%{name}.8*
%attr(0644,root,root) %{_mandir}/man1/chpax.1.gz*
%attr(0644,root,root) %{_mandir}/man1/paxctl.1.gz*
%if %{with_nptl}
%attr(0755,root,root) /etc/profile.d/nptl.sh
%endif

%changelog
* Tue Feb 28 2017 Support <support@atomicorp.com> - 3.1-40
- Add trigers for plesk php70/71 php-cgi

* Tue Feb 21 2017 Support <support@atomicorp.com> - 3.1-39
- Related to ASL issue #199, add restart event for clamav

* Mon Feb 13 2017 Support <support@atomicorp.com> - 3.1-38
- Update to gradm-3.1-201701031918
- Add triggers for plesk php70/71 php-fpm

* Tue Nov 29 2016 Support <support@atomicorp.com> - 3.1-37
- Add support for PHP 7.1

* Tue Nov 29 2016 Support <support@atomicorp.com> - 3.1-35
- Issue #13, allow plesk PHP 7.0 mprotect() 
- Issue #15, allow plesk letsencrypt python mprotect() 

* Tue Nov 29 2016 Support <support@atomicorp.com> - 3.1-34
- Issue #44, change flags on r1soft cdp 

* Thu Nov 10 2016 Support <support@atomicorp.com> - 3.1-33
- Update to gradm-3.1-201608131257
- Add trigger for kerio-connect

* Fri May 13 2016 Support <support@atomicorp.com> - 3.1-32
- Add trigger for java-1.8.0-openjdk-headless

* Fri Dec 11 2015 Support <support@atomicorp.com> - 3.1-31
- Add trigger for openjdk-1.6

* Wed Nov 18 2015 Support <support@atomicorp.com> - 3.1-30
- Add triggers to manipulate the group id's to 300 range

* Fri Jul 24 2015 Support <support@atomicorp.com> - 3.1-29
- Update to paxctl 0.9
- Upgrade to 3.1-201507191652

* Tue Mar 31 2015 Support <support@atomicorp.com> - 3.1-28
- Add triggers for nodejs

* Tue Mar 24 2015 Support <support@atomicorp.com> - 3.1-27
- Upgrade to 3.1-201503211320
- Add java triggers for easy-tomcat7-lib

* Thu Mar 6 2014 Support <support@atomicorp.com> - 3.0-26
- Add java triggers for openjdk 1.7.0,  easy-jakarta-commons-daemon easy-jakarta-commons-daemon-jsvc

* Thu Feb 13 2014 Support <support@atomicorp.com> - 3.0-24
- Update to 3.0
- Update paxctl to 0.7

* Thu Feb 13 2014 Support <support@atomicorp.com> - 2.9.1-23
- Add trigger on easy-jakarta-commons-daemon

* Fri Apr 5 2013 Support <support@atomicorp.com> - 2.9.1-22
- Add procread trigger for the Interworx control panel

* Tue Feb 5 2013 Support <support@atomicorp.com> - 2.9.1-21
- Update to gradm-2.9.1-201301041755.tar.gz

* Tue Oct 16 2012 Support <support@atomicorp.com> - 2.9.1-20
- Feature Request #836: Add execstack trigger for erlang & erlang-erts

* Wed Sep 19 2012 Support <support@atomicorp.com> - 2.9.1-13
- Update to 2.9.1-201207201554

* Tue Jun 26 2012 Support <support@atomicorp.com> - 2.9.1-10
- Update to 2.9.1-201206091838
- Add trigger for r1soft-cdp-server

* Tue May 22 2012 Support <support@atomicorp.com> - 2.9-8
- Add trigger for r1soft cdp agent

* Tue May 15 2012 Support <support@atomicorp.com> - 2.9-7
- Correct a bug in ldconfig -v where it will break if hwseg is set to 0

* Tue May 15 2012 Support <support@atomicorp.com> - 2.9-6
- Update to 2.9 branch

* Wed Jan 4 2012 Support <support@atomicorp.com> - 2.2.2-5
- Add gcj event to allow RWX of anonymous mappings

* Wed Jan 4 2012 Support <support@atomicorp.com> - 2.2.2-4
- Add %post event to update ld.so.conf to remove a hwseg conflict in CentOS/Cloudlinux converted environments that would break ldconfig

* Wed Jun 15 2011 Support <support@atomicorp.com> - 2.2.2-1
- Update to 2.2.2 - 201111011031
- Add requires on prelink

* Wed Jun 15 2011 Support <support@atomicorp.com> - 2.2.2-1
- Update to 2.2.2 - 201106072007
- Add procread trigger for asl-web

* Thu Dec 30 2010 Support <support@atomicorp.com> - 2.2.1-2
- Update to 2.2.1 - 201012301333

* Mon Nov 29 2010 Support <support@atomicorp.com> - 2.2.1-1
- Update to 2.2.1

* Thu Oct 28 2010 Support <support@atomicorp.com> - 2.2.0-7
- Create the trusted user group, for Unless Allow, Deny TPE mode
- Create the execlog user group, all execve() activity is logged for users in this group
- Update to 2.2.0-201009022049

* Sat Oct 16 2010 Support <support@atomicorp.com> - 2.2.0-6
- Add triggers for gcj-dbtool

* Wed Sep 22 2010 Support <support@atomicorp.com> - 2.2.0-5
- Add triggers for zimbra

* Mon Sep 13 2010 Support <support@atomicorp.com> - 2.2.0-4
- Add triggers for havp

* Fri Aug 13 2010 Support <support@atomicorp.com> - 2.2.0-3
- Update to gradm-2.2.0-201008112235
- Add trigger to disable mprotect on grub

* Fri Aug 13 2010 Support <support@atomicorp.com> - 2.2.0-2
- Update to clamd trigger for the clamscan binary

* Fri Jul 2 2010 Support <support@atomicorp.com> - 2.2.0-0.1
- update to 2.2.0

* Wed Jun 30 2010 Support <support@atomicorp.com> - 2.1.14-11
- Improved drweb process detection & deconstruction

* Tue Jun 29 2010 Support <support@atomicorp.com> - 2.1.14-7
- Added mprotect() trigger for clamd

* Thu Jun 3 2010 Support <support@atomicorp.com> - 2.1.14-6
- Updated drweb trigger 

* Fri May 14 2010 Support <support@atomicorp.com> - 2.1.14-5
- Update to 2.1.14-201005041005
- Add triggers for fc13 and fc14

* Wed Feb 17 2010 Support <support@atomicorp.com> - 2.1.14-4
- Update to 2.1.14-200910072130
- Add triggers for fc12
- Add paxctl 0.5

* Tue Jan 26 2010 Support <support@atomicorp.com> - 2.1.14-3
- Updated java trigger to look for the jdk package

* Mon Sep 28 2009 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.14-2
- Update to 2.1.14-200909162021

* Thu Jul 2 2009 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.14-1
- Update to 2.1.14-200906141459

* Mon Apr 27 2009 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-14
- Added trigger for dell symbios tools

* Wed Jan 28 2009 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-13
- Bugfix for FC10 triggers, the groups command is now using the older format again. 

* Fri Jan 9 2009 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-12
- Update to 200812271437
- Removed redundant init.d reference from /etc/grsec/learn_config

* Mon Dec 22 2008 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-11
- Added java cleanup trigger on "jre"

* Wed Dec 17 2008 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-10
- Added procread group for allowing non-root users access to /proc
- Added trigger for sw-sso, to add the user (sso) to procread
- Updated psa trigger to add sw-cp-server to procread

* Mon Dec 15 2008 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-8
- Update for fc10 and fc11 support

* Wed Oct 29 2008 Scott R. Shinn <scott@atomicrocketturtle.com> - 2.1.12-6
- Update to 2.1.12
- Added trigger for perl-Math-Pari
- Updated logic on dr. web trigger

* Wed Mar 05 2008 Eric Grejda <eric.grejda@prometheus-group.com> 2.1.11-8
- Fixed check event for /dev/ptmx, create if its missing for CentOS v4.x (in
  particular) and set ownership properly.

* Fri Feb 22 2008 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.11-7
- add support for Fedora 9
- add check event for /dev/ptmx, create if its missing

* Fri Feb 22 2008 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.11-6
- update trigger for RHEL5/CentOS5 java implementations 

* Thu Feb 7 2008 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.11-5
- update to the new format of the groups command on f7/f8
- I broke the wednesday only cycle.

* Wed Jan 23 2008 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.11-2
- bugfix on the drweb trigger 
- How is it that these only come out on wednesdays?

* Wed Oct 10 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.11-1
- update to 2.1.11-200708011700
- added trigger for psa-miva

* Wed May 30 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-14
- Bugfix on drwebd shutdown script, this will now monitor drwebd for a graceful shutdown, and then kill it if it has to.
- v12 and 13 were refinements up to this

* Sun May 27 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-11
- Bugfix on php5-ioncube-loader trigger
- merged php5-ioncube-loader trigger into php-ioncube trigger

* Sun May 27 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-10
- Bugfix on psa trigger

* Sun May 27 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-9
- Bugfix on untrusted users trigger

* Sun May 27 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-8
- updated trigger on php-ioncube-loader

* Wed Feb 21 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-5
- drweb trigger update
- mailman trigger updates
- java trigger updates
- sitebuilder trigger updates


* Tue Feb 20 2007 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.10-1
- update to gradm-2.1.10-200701121959.tar.gz
- java trigger updates

- install-only check for manual install of ioncube loader

* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-13
- further refinement of untrusted trigger

* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-12
- fix for mysql triggers on shared objects

* Sat Sep 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 2.1.6-11
- bugfix in untrusted group routine, this should fix group removal issues in the future

* Thu Sep 1 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- add in untrusted groups creation, and expanded it into a trigger
- add in check for selinux enforce mode, set to permissive if detected

* Sun Aug 28 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- update to 2.1.6

* Tue Jun 7 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- execstack trigger for mysql-compat

* Tue May 24 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- execstack trigger added for mysql

* Mon May 23 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- psa trigger addition

* Sun May 15 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- update to gradm-2.1.5-200504081812
- mknod fix

* Tue May 10 2005 Scott R. Shinn <scott@atomicrocketturtle.com>
- Added nptl.sh script

* Mon Mar 28 2005 Scott R. Shinn <scott@atomicrocketturtle.com> 
- updated to 2.1.4
- removed SLS specific modifications
- added chpax 0.7

* Fri Jan 23 2004 Vincent Danen <vdanen@opensls.org> 2.0-0.5sls
- OpenSLS build
- tidy spec
- remove %%_prefix

* Tue Dec 30 2003 Michael Scherer <misc@mandrake.org> 2.0-0.4mdk 
- fix [DIRM] %{_sysconfdir}/grsec

* Thu Nov 20 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.3mdk
- rc3

* Thu Sep 18 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.2mdk
- move devfs checks to %post from makefile

* Wed Sep 17 2003 Thomas Backlund <tmb@iki.fi> 2.0-0.1mdk
- initial cooker contrib
- gradm 2.0-rc2
- spec based on 1.9.9d rpm package by Oden Eriksson that 
  never got uploaded due to kernel mismatch