# NOTE: this rpm probably cant be built under mock any more due to more rigerous checks on macros %define chpax_ver 0.7 %define paxctl_ver 0.9 %define with_nptl 0 Summary: Userspace ACL parsing and authentication for grsecurity Name: gradm Version: 3.1 Release: 46 License: GPL Group: System/Base URL: http://www.grsecurity.net/ Source0: https://grsecurity.net/stable/gradm-3.1-201701031918.tar.gz Source1: chpax-%{chpax_ver}.tar.gz Source2: nptl.sh Source3: paxctl-%{paxctl_ver}.tar.gz Patch0: Makefile-2.2.1-x86_64.patch Patch1: learn_config.patch BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: binutils flex findutils byacc bison pam-devel, pam #Requires: paxctl Requires: prelink # For setfattr support # setfattr -n user.pax.flags -v "me" /path/to/binary will turn off MPROTECT and EMUTRAMP # (EMUTRAMP has to be added because PT_PAX_FLAGS disables it by default too and the two markings must enable/disable the same PaX features Requires: setfattr %if 0%{?fc15} BuildRequires: flex-static %endif %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 BuildRequires: flex-devel %endif %description grsecurity aims to be a complete security system for Linux. gradm performs several tasks for the ACL system including authen- ticated via a password to the kernel and parsing ACLs to be passed to the kernel. %prep %setup -q -n %{name} %setup -q -n %{name} -D -T -a 1 %setup -q -n %{name} -D -T -a 3 #%patch0 -p1 #%patch1 -p0 %build %ifarch x86_64 export OPT_FLAGS="-O2 -m64" %else export OPT_FLAGS="-O2" %endif %{__make} cd chpax-%{chpax_ver} %{__make} cd .. cd paxctl-%{paxctl_ver} %{__make} cd .. %install [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} # not rpm friendly, does mknod, etc #make DESTDIR="%{buildroot}" install %{__mkdir_p} %{buildroot}%{_sysconfdir}/grsec %{__install} -D -m 0640 learn_config %{buildroot}%{_sysconfdir}/grsec/learn_config %{__install} -D -m 0640 policy %{buildroot}%{_sysconfdir}/grsec/policy %{__install} -D -m 0700 gradm %{buildroot}/sbin/gradm %{__install} -D -m 0700 gradm_pam %{buildroot}/sbin/gradm_pam %{__install} -D -m 0700 grlearn %{buildroot}/sbin/grlearn %{__install} -D -m 0644 gradm.8 %{buildroot}%{_mandir}/man8/gradm.8 cd chpax-%{chpax_ver} %{__make} DESTDIR="%{buildroot}" install cd .. %{__install} -D -m 0700 paxctl-%{paxctl_ver}/paxctl %{buildroot}/sbin/paxctl %{__install} -D -m 0644 paxctl-%{paxctl_ver}/paxctl.1 %{buildroot}/%{_mandir}/man1/paxctl.1 %if %{with_nptl} %{__mkdir_p} %{buildroot}%{_sysconfdir}/profile.d/ install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/nptl.sh %endif %clean [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} # this is a rearchitecture for GID's due to some overlap that occurred because of plesk %triggerin -- kernel-asl # #/usr/sbin/groupmod -g 301 procread || : /usr/sbin/groupmod -g 302 client || : /usr/sbin/groupmod -g 303 server || : /usr/sbin/groupmod -g 304 socket || : /usr/sbin/groupmod -g 305 untrusted || : /usr/sbin/groupmod -g 306 trusted || : /usr/sbin/groupmod -g 307 execlog || : /usr/sbin/groupmod -g 308 symlink || : %triggerin -- virgild if [ -f /usr/bin/virgild ]; then /usr/bin/setfattr -n user.pax.flags -v "pm" /usr/bin/virgild fi %triggerin -- plesk-letsencrypt-pre # For globbing, fortunately there is also a symlink we can follow #if compgen -G "/usr/local/psa/var/modules/letsencrypt/venv*/bin" >/dev/null ; then if [ -f /usr/local/psa/var/modules/letsencrypt/venv/bin/python ]; then paxctl -cm /usr/local/psa/var/modules/letsencrypt/venv/bin/python >/dev/null 2>&1 || : fi # May not be needed ## Plesk adm user cant be untrusted since the letsencrypt package has psaadm permissions #if groups psaadm | grep -qv untrusted; then # /usr/bin/gpasswd -d psaadm untrusted #fi %triggerin -- asl-web if groups tortix |grep -qv procread; then /usr/sbin/usermod -a -G procread tortix fi # fix permissions on psa bin dir %triggerin -- psa if [ -d /usr/local/psa/bin ]; then chown root.root /usr/local/psa/bin fi if [ -d /usr/local/psa/bin ]; then chown root.root /usr/local/psa/bin fi if [ -f /usr/local/psa/bin/chrootsh ]; then chown root.root /usr/local/psa/bin/chrootsh chmod 4755 /usr/local/psa/bin/chrootsh fi # Plesk 9 fixup if grep -q sw-cp-server /etc/passwd; then if groups sw-cp-server | grep -qv procread; then # Maybe not needed /usr/sbin/usermod -G procread`groups sw-cp-server |\ awk -F: '{print $2}' |sed 's/ /,/g'` sw-cp-server fi if groups psaadm | grep -qv procread; then # There are 2 auth systems in plesk. This is used if sw-sso isnt installed /usr/sbin/usermod -G procread`groups psaadm |\ awk -F: '{print $2}' |sed 's/ /,/g'` psaadm fi fi %triggerin -- sw-sso if groups sso |grep -qv procread; then /usr/sbin/usermod -G procread`groups sso |\ awk -F: '{print $2}' |sed 's/ /,/g'` sso fi # fix beeencrypt stack execution %triggerin -- beecrypt if [ -x /usr/bin/execstack ]; then if [ -f /usr/lib/libbeecrypt.so.*.*.* ]; then execstack -c /usr/lib/libbeecrypt.so.*.*.* fi if [ -f /usr/lib64/libbeecrypt.so.*.*.* ]; then execstack -c /usr/lib64/libbeecrypt.so.*.*.* fi fi # fix stack execution on mysql on 2.6 kernels %triggerin -- mysql if [ -x /usr/bin/execstack ]; then find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 if [ -d /usr/lib64 ]; then find /usr/lib64 -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 fi #execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1 #execstack -c /usr/lib/libmysqlclient* 1>/dev/null 2>&1 fi # CentOS4/RHEL4 has a problem with bdb in mysql #%{?el4:if ! grep -q "^skip-bdb" /etc/my.cnf; then } #%{?el4: sed -e 's/\[mysqld\]/\[mysqld\]\nskip-bdb/' /etc/my.cnf > /etc/my.cnf.atomicorp } #%{?el4: mv -f /etc/my.cnf.atomicorp /etc/my.cnf } #%{?el4:fi } %triggerin -- mysql-compat if [ -x /usr/bin/execstack ]; then find /usr/lib -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 if [ -d /usr/lib64 ]; then find /usr/lib64 -name libmysql* -exec execstack -c {} \; 1>/dev/null 2>&1 fi # execstack -c /usr/lib/mysql/*so* 1>/dev/null 2>&1 # execstack -c /usr/lib/libmysqlclient.so.10.0.0 1>/dev/null 2>&1 fi # Fix frontpage perms %triggerin -- frontpage if [ -d /usr/local/frontpage ]; then # fix for people tricked into using cpanel if [ -f /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe ]; then chattr -i /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe fi chown -R root.root /usr/local/frontpage/version*/* fi # Fix courier-imap perms %triggerin -- courier-imap if [ -d /usr/lib/courier-imap ]; then chown -R root.root /usr/lib/courier-imap fi %triggerin -- courier-authlib if [ -d /usr/lib/courier-authlib ]; then chown -R root.root /usr/lib/courier-authlib fi # Fix mailman perms %triggerin -- mailman if [ -d /usr/lib/mailman/cgi-bin ];then chown root.root /usr/lib/mailman chown root.root /usr/lib/mailman/cgi-bin chown root.root /usr/lib/mailman/cron chown -R root.root /usr/lib/mailman/pythonlib chmod 755 /usr/lib/mailman/cgi-bin chmod 755 /usr/lib/mailman/cron chmod 755 /usr/lib/mailman/mail chmod -R 755 /usr/lib/mailman/pythonlib fi if [ -d /var/mailman/cgi-bin ];then chown root.root /var/mailman chown root.root /var/mailman chown root.root /var/mailman/cgi-bin chown root.root /var/mailman/cron chmod 755 /var/mailman/cgi-bin chmod 755 /var/mailman/cron chmod 755 /var/mailman/mail fi # Fix php-xslt %triggerin -- php-xslt if [ -f /usr/lib/php4/xslt.so ]; then if [ -x /usr/bin/execstack ]; then execstack -c /usr/lib/php4/xslt.so fi fi # Fix for clamd %triggerin -- clamd service clamd stop >/dev/null 2>&1 || : # kill the hell out of clamd running=0 while [ $running -lt 60 ]; do # look for it /sbin/pidof -s clamd > /dev/null || running=60 # wait sleep 1 running=`expr $running + 1` if [ $running -ge 30 ]; then /usr/bin/killall -9 clamd >/dev/null 2>&1 fi done /usr/bin/killall -9 clamd >/dev/null 2>&1 /sbin/paxctl -cm /usr/sbin/clamd || : if [ -f /usr/bin/clamscan ]; then /sbin/paxctl -cm /usr/bin/clamscan || : fi if [ -f /usr/bin/freshclam ]; then /sbin/paxctl -cm /usr/bin/freshclam || : fi service clamd start || : # Fix X %triggerin -- XFree86 if [ -f /usr/X11R6/bin/XFree86 ]; then /sbin/paxctl -cemsrpx /usr/X11R6/bin/XFree86 || : fi # Plesk PAM rpm %triggerin -- psa-libpam-plesk if [ -f /lib/security/pam_plesk.so ]; then execstack -c /lib/security/pam_plesk.so fi %triggerin -- plesk-php71-fpm if [ -f /opt/plesk/php/7.1/sbin/php-fpm ]; then service plesk-php71-fpm stop >/dev/null 2>&1 || : /sbin/paxctl -cm /opt/plesk/php/7.1/sbin/php-fpm >/dev/null 2>&1 || : service plesk-php71-fpm start >/dev/null 2>&1 || : fi %triggerin -- plesk-php70-fpm if [ -f /opt/plesk/php/7.0/sbin/php-fpm ]; then service plesk-php70-fpm stop >/dev/null 2>&1 || : /sbin/paxctl -cm /opt/plesk/php/7.0/sbin/php-fpm >/dev/null 2>&1 || : service plesk-php70-fpm start >/dev/null 2>&1 || : fi %triggerin -- plesk-php71-cli if [ -f /opt/plesk/php/7.1/bin/php ]; then /sbin/paxctl -cm /opt/plesk/php/7.1/bin/php >/dev/null 2>&1 || : fi if [ -f /opt/plesk/php/7.1/bin/php-cgi ]; then killall -9 php-cgi >/dev/null 2>&1 || : /sbin/paxctl -cm /opt/plesk/php/7.1/bin/php-cgi >/dev/null 2>&1 || : fi %triggerin -- plesk-php70-cli if [ -f /opt/plesk/php/7.0/bin/php ]; then /sbin/paxctl -cm /opt/plesk/php/7.0/bin/php >/dev/null 2>&1 || : fi if [ -f /opt/plesk/php/7.0/bin/php-cgi ]; then killall -9 php-cgi >/dev/null 2>&1 || : /sbin/paxctl -cm /opt/plesk/php/7.0/bin/php-cgi >/dev/null 2>&1 || : fi %triggerin -- ea-php70-php-litespeed if [ -f /opt/cpanel/ea-php70/root/usr/bin/lsphp ]; then killall -9 lsphp >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/lsphp fi %triggerin -- ea-php70-php-cli if [ -f /opt/cpanel/ea-php70/root/usr/bin/php ]; then killall -9 php >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php fi %triggerin -- ea-php70-php-fpm if [ -f /opt/cpanel/ea-php70/root/usr/bin/php-fpm ]; then killall -9 php-fpm >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php-fpm || : service ea-php70-php-fpm restart || : fi %triggerin -- ea-php71-php-fpm if [ -f /opt/cpanel/ea-php71/root/usr/bin/php-fpm ]; then killall -9 php-fpm >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php-fpm || : service ea-php71-php-fpm restart || : fi if [ -f /opt/cpanel/ea-php70/root/usr/bin/php-cgi ]; then killall -9 php-cgi >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php70/root/usr/bin/php-cgi fi %triggerin -- ea-php71-php-litespeed if [ -f /opt/cpanel/ea-php71/root/usr/bin/lsphp ]; then killall -9 lsphp >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/lsphp fi %triggerin -- ea-php71-php-cli if [ -f /opt/cpanel/ea-php71/root/usr/bin/php ]; then killall -9 php >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php fi if [ -f /opt/cpanel/ea-php71/root/usr/bin/php-cgi ]; then killall -9 php-cgi >/dev/null 2>&1 /sbin/paxctl -cm /opt/cpanel/ea-php71/root/usr/bin/php-cgi fi %triggerin -- kerio-connect if [ -d /opt/kerio/mailserver/ ]; then find /opt/kerio/ -name libkt*so -exec execstack -c {} \; fi if [ -f /opt/kerio/mailserver/javaservices/jre/bin/java ]; then paxctl -mps /opt/kerio/mailserver/javaservices/jre/bin/java fi %triggerin -- nodejs if [ -f /usr/bin/node ]; then /usr/bin/killall -9 node >/dev/null 2>&1 || : /sbin/paxctl -cm /usr/bin/node || : fi %triggerin -- easy-jakarta-commons-daemon easy-jakarta-commons-daemon-jsvc if [ -f /usr/local/easy/bin/jsvc ]; then /usr/bin/killall -9 jsvc >/dev/null 2>&1 || : /sbin/paxctl -cm /usr/local/easy/bin/jsvc || : fi %triggerin -- erlang erlang-erts if [ -f /usr/*/erlang/erts-*/bin/beam.smp ]; then /usr/bin/execstack -c /usr/*/erlang/erts-*/bin/beam.smp fi %triggerin -- r1soft-cdp-async-agent-2-6 serverbackup-async-agent-2-6 if [ -f /usr/sbin/r1soft/bin/2-6/cdp-2-6 ]; then /usr/bin/killall -9 cdp-2-6 >/dev/null 2>&1 /sbin/paxctl -cm /usr/sbin/r1soft/bin/2-6/cdp-2-6 || : fi if [ -f /usr/sbin/r1soft/bin/cdp ]; then /usr/bin/killall -9 cdp >/dev/null 2>&1 /sbin/paxctl -cm /usr/sbin/r1soft/bin/cdp || : fi if [ -f /usr/sbin/r1soft/bin/cdpserver ]; then /sbin/paxctl -cm /usr/sbin/r1soft/bin/cdpserver || : fi # Interworx %triggerin -- interworx if [ -f /home/interworx/ioncube/ioncube_loader_lin_5.2.so ]; then /usr/bin/execstack -c /home/interworx/ioncube/ioncube_loader_lin_5.2.so fi # Tivoli %triggerin -- TIVsm-BA if [ -f /opt/tivoli/tsm/client/ba/bin/dsmc ]; then paxctl -cm /opt/tivoli/tsm/client/ba/bin/dsmc fi # HavP %triggerin -- havp if [ -f /usr/sbin/havp ]; then paxctl -cm /usr/sbin/havp fi # Grub %triggerin -- grub if [ -f /sbin/grub ]; then /sbin/paxctl -cm /sbin/grub || : fi # Splunk # Seriously guys??? %triggerin -- splunk execstack -c /opt/splunk/lib/libcrypto.so.* # Dells smbios-utils-python %triggerin -- smbios-utils-python if [ -f /usr/lib*/python*/site-packages/_ctypes.so ]; then execstack -c /usr/lib*/python*/site-packages/_ctypes.so fi # Dell Open Manage #%triggerin -- srvadmin-hapi # #%triggerin -- srvadmin-deng # perl-Math-Pari %triggerin -- perl-Math-pari execstack -c /usr/lib/perl5/vendor_perl/*/*/auto/Math/Pari/Pari.so # mplayer %triggerin -- mplayer if [ -f /usr/bin/mplayer ]; then execstack -c /usr/bin/mplayer fi # psa-miva needs mprotect %triggerin -- psa-miva if [ -f /usr/bin/mivavm ]; then /sbin/paxctl -cm /usr/bin/mivavm || : fi # expand needs execstack cleared %triggerin -- expand if [ -f /usr/lib/libxerces-c.so.25.o ]; then execstack -c /usr/lib/libxerces-c.so.25* fi # sitebuilder-core needs exec stack %triggerin -- sitebuilder-core if [ -x /usr/bin/execstack ]; then if [ -f /usr/lib/php4/sitebuilder.so ]; then execstack -c /usr/lib/php4/sitebuilder.so fi if [ -f /usr/lib/php5/sitebuilder.so ]; then execstack -c /usr/lib/php5/sitebuilder.so fi if [ -f /usr/lib/php/sitebuilder.so ]; then execstack -c /usr/lib/php/sitebuilder.so fi if [ -f /opt/php51/lib/php5/extensions/sitebuilder3.so ]; then execstack -c /opt/php51/lib/php5/extensions/sitebuilder3.so fi # final catchalls find /opt -name sitebuilder*so -exec execstack -c {} \; find /usr/lib -name sitebuilder*so -exec execstack -c {} \; fi # php-ioncube-loader %triggerin -- php-ioncube-loader php5-ioncube-loader php5-ioncube php-ioncube ioncube if [ -x /usr/bin/execstack ]; then if [ -d /usr/lib/php ]; then find /usr/lib/php -name \*ioncube* -exec execstack -c {} \; 1>/dev/null 2>&1 fi if [ -d /usr/lib64/php ]; then find /usr/lib64/ -name \*ioncube* -exec execstack -c {} \; 1>/dev/null 2>&1 fi if [ -f /opt/php51/lib/php5/ioncube_loader_lin_5.1.so ]; then find /opt/php51/lib/ -name \*ioncube* -exec execstack -c {} \; 1>/dev/null 2>&1 fi fi # drweb needs mprotect() %triggerin -- drweb-daemon if [ -f /opt/drweb/drwebd ]; then service drwebd stop 1> /dev/null 2>&1 if [ -f /opt/drweb/drweb.real ]; then PROCESS=drweb.real else PROCESS=drweb fi # kill the hell out of drweb running=0 while [ $running -lt 60 ]; do # look for it /sbin/pidof -s $PROCESS > /dev/null || running=60 # wait sleep 1 running=`expr $running + 1` if [ $running -ge 30 ]; then /usr/bin/killall -9 $PROCESS >/dev/null 2>&1 fi done if [ -f /opt/drweb/drwebd ] && [ ! -h /opt/drweb/drwebd ]; then /sbin/paxctl -cm /opt/drweb/drwebd || : fi if [ -f /opt/drweb/drwebd.real ] ; then /usr/bin/killall -9 drweb.real 2>/dev/null || : /sbin/paxctl -cm /opt/drweb/drwebd.real 2>/dev/null || : fi service drwebd start 1> /dev/null 2>&1 fi # Java %triggerin -- j2sdk java-1.4.2-sun java-1.4.2-gcj-compat java-1.4.2-sun-devel libgcj VMware-server jre jdk zimbra-core r1soft-cdp-server java-1.7.0-openjdk easy-tomcat7-lib easy-tomcat8-lib java-1.6.0-openjdk jre1.8.0_77 java-1.8.0-openjdk-headless java-1.8.0-openjdk killall -9 java >/dev/null 2>&1 if [ -d /usr/java ]; then find /usr/java -name java -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || : find /usr/java -name javac -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || : fi if [ -d /usr/lib/jvm ]; then find /usr/lib/jvm -name java -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || : find /usr/lib/jvm -name javac -type f -exec /sbin/paxctl -cemprxs {} \; >/dev/null 2>&1 || : fi if [ -f /usr/bin/gij ]; then /sbin/paxctl -cemsrpx /usr/bin/gij || : fi if [ -f /usr/bin/gcj-dbtool ]; then /sbin/paxctl -cemsrpx /usr/bin/gcj-dbtool || : fi if [ -d /usr/lib/vmware/webAccess ]; then find /usr/lib/vmware/webAccess -name webAccess -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 ||: find /usr/lib/vmware/webAccess -name java -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || : fi # Zimbra if [ -d /opt/zimbra/ ]; then find /opt/zimbra/ -name java -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || : find /opt/zimbra/ -name javac -type f -exec /sbin/paxctl -cemsrpx {} \; >/dev/null 2>&1 || : fi #VMware-server # R1soft if [ -f /usr/sbin/r1soft/jre/bin/java ]; then /sbin/paxctl -cemsrpx /usr/sbin/r1soft/jre/bin/java >/dev/null 2>&1 || : fi if [ -f /usr/sbin/r1soft/bin/cdpserver ]; then /sbin/paxctl -cm /usr/sbin/r1soft/bin/cdpserver fi # /dev/ptmx check trigger for CentOS v4.x. Ew. %triggerin -- kernel if [ ! -c /dev/ptmx ]; then /bin/mknod -m 0666 /dev/ptmx c 5 2 chown root.tty /dev/ptmx fi # untrusted users trigger # Note that this might cause "Trigger fired by the same package is already defined in spec file" because # we use triggers on more than one named package in this list %triggerin -- httpd snort mailman gdm mysql-server postgres qmail psa-qmail psa openssh USERS="lp sync shutdown halt mail news uucp operator games gopher ftp nobody rpm vcsa nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap apache squid webalizer xfs named ntp gdm amanda canna wnn fax netdump nut ldap mysql ident postfix mailman postgres privoxy pvm desktop radvd iplog snort dnscache dnslog alias qmaild qmaill qmailp qmailq qmailr qmails popuser psaadm psaftp qscand ftproot dcc" for i in $USERS; do if grep -q ^$i: /etc/passwd; then if groups $i |grep -qv untrusted; then /usr/sbin/usermod -a -G untrusted $i fi fi done %post if [ -e /dev/grsec ]; then rm -f /dev/grsec /bin/mknod -m 0622 /dev/grsec c 1 13 else /bin/mknod -m 0622 /dev/grsec c 1 13 fi # create the ASL user groups if ! grep -q "^symlink" /etc/group; then /usr/sbin/groupadd -g 308 -r -f symlink fi if ! grep -q "^execlog" /etc/group; then /usr/sbin/groupadd -g 307 -r -f execlog fi if ! grep -q "^trusted" /etc/group; then /usr/sbin/groupadd -g 306 -r -f trusted fi if ! grep -q "^untrusted:" /etc/group; then /usr/sbin/groupadd -g 305 -r -f untrusted fi if ! grep -q "^socket:" /etc/group; then /usr/sbin/groupadd -g 304 -r -f socket fi if ! grep -q "^server:" /etc/group; then /usr/sbin/groupadd -g 303 -r -f server fi if ! grep -q "^client:" /etc/group; then /usr/sbin/groupadd -g 302 -r -f client fi if ! grep -q "^procread:" /etc/group; then /usr/sbin/groupadd -g 301 -r -f procread fi # switch SELinux into warn mode if it is enabled # currently disabling selinux from the kernel rpm in grub.conf if [ -f /etc/sysconfig/selinux ]; then if grep -q ^SELINUX=enforcing /etc/sysconfig/selinux; then sed -i s/^SELINUX=enforcing/SELINUX=permissive/ /etc/sysconfig/selinux > /etc/sysconfig/selinux fi fi # Ioncube fix if [ -d /usr/local/ioncube ]; then find /usr/local/ioncube -name \*so -exec execstack -c {} \; >/dev/null 2>&1 fi # hwcap change. This is needed with newer 2.6.32 kernels, if 2 .confs have conflicting settings ldconfig will break if grep --silent '^hwcap 0 nosegneg$' /etc/ld.so.conf.d/kernel*.conf 2> /dev/null; then sed -i '/^hwcap 0 nosegneg$/ s/0/1/' /etc/ld.so.conf.d/kernel*.conf fi if [ -f /usr/bin/java ]; then /sbin/paxctl -cmps /usr/bin/java || : fi %files %defattr(-,root,root) %dir %{_sysconfdir}/grsec %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/learn_config %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/grsec/policy %attr(0754,root,root) /sbin/%{name} %attr(0754,root,root) /sbin/grlearn %attr(0754,root,root) /sbin/chpax %attr(0754,root,root) /sbin/paxctl #%{?rh90: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc1: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc2: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc3: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhfc4: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhel3: %attr(0754,root,root) /sbin/gradm_pam} #%{?rhel4: %attr(0754,root,root) /sbin/gradm_pam} %attr(0754,root,root) /sbin/gradm_pam %attr(0644,root,root) %{_mandir}/man8/%{name}.8* %attr(0644,root,root) %{_mandir}/man1/chpax.1.gz* %attr(0644,root,root) %{_mandir}/man1/paxctl.1.gz* %if %{with_nptl} %attr(0755,root,root) /etc/profile.d/nptl.sh %endif %changelog * Tue Feb 28 2017 Support - 3.1-40 - Add trigers for plesk php70/71 php-cgi * Tue Feb 21 2017 Support - 3.1-39 - Related to ASL issue #199, add restart event for clamav * Mon Feb 13 2017 Support - 3.1-38 - Update to gradm-3.1-201701031918 - Add triggers for plesk php70/71 php-fpm * Tue Nov 29 2016 Support - 3.1-37 - Add support for PHP 7.1 * Tue Nov 29 2016 Support - 3.1-35 - Issue #13, allow plesk PHP 7.0 mprotect() - Issue #15, allow plesk letsencrypt python mprotect() * Tue Nov 29 2016 Support - 3.1-34 - Issue #44, change flags on r1soft cdp * Thu Nov 10 2016 Support - 3.1-33 - Update to gradm-3.1-201608131257 - Add trigger for kerio-connect * Fri May 13 2016 Support - 3.1-32 - Add trigger for java-1.8.0-openjdk-headless * Fri Dec 11 2015 Support - 3.1-31 - Add trigger for openjdk-1.6 * Wed Nov 18 2015 Support - 3.1-30 - Add triggers to manipulate the group id's to 300 range * Fri Jul 24 2015 Support - 3.1-29 - Update to paxctl 0.9 - Upgrade to 3.1-201507191652 * Tue Mar 31 2015 Support - 3.1-28 - Add triggers for nodejs * Tue Mar 24 2015 Support - 3.1-27 - Upgrade to 3.1-201503211320 - Add java triggers for easy-tomcat7-lib * Thu Mar 6 2014 Support - 3.0-26 - Add java triggers for openjdk 1.7.0, easy-jakarta-commons-daemon easy-jakarta-commons-daemon-jsvc * Thu Feb 13 2014 Support - 3.0-24 - Update to 3.0 - Update paxctl to 0.7 * Thu Feb 13 2014 Support - 2.9.1-23 - Add trigger on easy-jakarta-commons-daemon * Fri Apr 5 2013 Support - 2.9.1-22 - Add procread trigger for the Interworx control panel * Tue Feb 5 2013 Support - 2.9.1-21 - Update to gradm-2.9.1-201301041755.tar.gz * Tue Oct 16 2012 Support - 2.9.1-20 - Feature Request #836: Add execstack trigger for erlang & erlang-erts * Wed Sep 19 2012 Support - 2.9.1-13 - Update to 2.9.1-201207201554 * Tue Jun 26 2012 Support - 2.9.1-10 - Update to 2.9.1-201206091838 - Add trigger for r1soft-cdp-server * Tue May 22 2012 Support - 2.9-8 - Add trigger for r1soft cdp agent * Tue May 15 2012 Support - 2.9-7 - Correct a bug in ldconfig -v where it will break if hwseg is set to 0 * Tue May 15 2012 Support - 2.9-6 - Update to 2.9 branch * Wed Jan 4 2012 Support - 2.2.2-5 - Add gcj event to allow RWX of anonymous mappings * Wed Jan 4 2012 Support - 2.2.2-4 - Add %post event to update ld.so.conf to remove a hwseg conflict in CentOS/Cloudlinux converted environments that would break ldconfig * Wed Jun 15 2011 Support - 2.2.2-1 - Update to 2.2.2 - 201111011031 - Add requires on prelink * Wed Jun 15 2011 Support - 2.2.2-1 - Update to 2.2.2 - 201106072007 - Add procread trigger for asl-web * Thu Dec 30 2010 Support - 2.2.1-2 - Update to 2.2.1 - 201012301333 * Mon Nov 29 2010 Support - 2.2.1-1 - Update to 2.2.1 * Thu Oct 28 2010 Support - 2.2.0-7 - Create the trusted user group, for Unless Allow, Deny TPE mode - Create the execlog user group, all execve() activity is logged for users in this group - Update to 2.2.0-201009022049 * Sat Oct 16 2010 Support - 2.2.0-6 - Add triggers for gcj-dbtool * Wed Sep 22 2010 Support - 2.2.0-5 - Add triggers for zimbra * Mon Sep 13 2010 Support - 2.2.0-4 - Add triggers for havp * Fri Aug 13 2010 Support - 2.2.0-3 - Update to gradm-2.2.0-201008112235 - Add trigger to disable mprotect on grub * Fri Aug 13 2010 Support - 2.2.0-2 - Update to clamd trigger for the clamscan binary * Fri Jul 2 2010 Support - 2.2.0-0.1 - update to 2.2.0 * Wed Jun 30 2010 Support - 2.1.14-11 - Improved drweb process detection & deconstruction * Tue Jun 29 2010 Support - 2.1.14-7 - Added mprotect() trigger for clamd * Thu Jun 3 2010 Support - 2.1.14-6 - Updated drweb trigger * Fri May 14 2010 Support - 2.1.14-5 - Update to 2.1.14-201005041005 - Add triggers for fc13 and fc14 * Wed Feb 17 2010 Support - 2.1.14-4 - Update to 2.1.14-200910072130 - Add triggers for fc12 - Add paxctl 0.5 * Tue Jan 26 2010 Support - 2.1.14-3 - Updated java trigger to look for the jdk package * Mon Sep 28 2009 Scott R. Shinn - 2.1.14-2 - Update to 2.1.14-200909162021 * Thu Jul 2 2009 Scott R. Shinn - 2.1.14-1 - Update to 2.1.14-200906141459 * Mon Apr 27 2009 Scott R. Shinn - 2.1.12-14 - Added trigger for dell symbios tools * Wed Jan 28 2009 Scott R. Shinn - 2.1.12-13 - Bugfix for FC10 triggers, the groups command is now using the older format again. * Fri Jan 9 2009 Scott R. Shinn - 2.1.12-12 - Update to 200812271437 - Removed redundant init.d reference from /etc/grsec/learn_config * Mon Dec 22 2008 Scott R. Shinn - 2.1.12-11 - Added java cleanup trigger on "jre" * Wed Dec 17 2008 Scott R. Shinn - 2.1.12-10 - Added procread group for allowing non-root users access to /proc - Added trigger for sw-sso, to add the user (sso) to procread - Updated psa trigger to add sw-cp-server to procread * Mon Dec 15 2008 Scott R. Shinn - 2.1.12-8 - Update for fc10 and fc11 support * Wed Oct 29 2008 Scott R. Shinn - 2.1.12-6 - Update to 2.1.12 - Added trigger for perl-Math-Pari - Updated logic on dr. web trigger * Wed Mar 05 2008 Eric Grejda 2.1.11-8 - Fixed check event for /dev/ptmx, create if its missing for CentOS v4.x (in particular) and set ownership properly. * Fri Feb 22 2008 Scott R. Shinn 2.1.11-7 - add support for Fedora 9 - add check event for /dev/ptmx, create if its missing * Fri Feb 22 2008 Scott R. Shinn 2.1.11-6 - update trigger for RHEL5/CentOS5 java implementations * Thu Feb 7 2008 Scott R. Shinn 2.1.11-5 - update to the new format of the groups command on f7/f8 - I broke the wednesday only cycle. * Wed Jan 23 2008 Scott R. Shinn 2.1.11-2 - bugfix on the drweb trigger - How is it that these only come out on wednesdays? * Wed Oct 10 2007 Scott R. Shinn 2.1.11-1 - update to 2.1.11-200708011700 - added trigger for psa-miva * Wed May 30 2007 Scott R. Shinn 2.1.10-14 - Bugfix on drwebd shutdown script, this will now monitor drwebd for a graceful shutdown, and then kill it if it has to. - v12 and 13 were refinements up to this * Sun May 27 2007 Scott R. Shinn 2.1.10-11 - Bugfix on php5-ioncube-loader trigger - merged php5-ioncube-loader trigger into php-ioncube trigger * Sun May 27 2007 Scott R. Shinn 2.1.10-10 - Bugfix on psa trigger * Sun May 27 2007 Scott R. Shinn 2.1.10-9 - Bugfix on untrusted users trigger * Sun May 27 2007 Scott R. Shinn 2.1.10-8 - updated trigger on php-ioncube-loader * Wed Feb 21 2007 Scott R. Shinn 2.1.10-5 - drweb trigger update - mailman trigger updates - java trigger updates - sitebuilder trigger updates * Tue Feb 20 2007 Scott R. Shinn 2.1.10-1 - update to gradm-2.1.10-200701121959.tar.gz - java trigger updates - install-only check for manual install of ioncube loader * Sat Sep 10 2005 Scott R. Shinn 2.1.6-13 - further refinement of untrusted trigger * Sat Sep 10 2005 Scott R. Shinn 2.1.6-12 - fix for mysql triggers on shared objects * Sat Sep 10 2005 Scott R. Shinn 2.1.6-11 - bugfix in untrusted group routine, this should fix group removal issues in the future * Thu Sep 1 2005 Scott R. Shinn - add in untrusted groups creation, and expanded it into a trigger - add in check for selinux enforce mode, set to permissive if detected * Sun Aug 28 2005 Scott R. Shinn - update to 2.1.6 * Tue Jun 7 2005 Scott R. Shinn - execstack trigger for mysql-compat * Tue May 24 2005 Scott R. Shinn - execstack trigger added for mysql * Mon May 23 2005 Scott R. Shinn - psa trigger addition * Sun May 15 2005 Scott R. Shinn - update to gradm-2.1.5-200504081812 - mknod fix * Tue May 10 2005 Scott R. Shinn - Added nptl.sh script * Mon Mar 28 2005 Scott R. Shinn - updated to 2.1.4 - removed SLS specific modifications - added chpax 0.7 * Fri Jan 23 2004 Vincent Danen 2.0-0.5sls - OpenSLS build - tidy spec - remove %%_prefix * Tue Dec 30 2003 Michael Scherer 2.0-0.4mdk - fix [DIRM] %{_sysconfdir}/grsec * Thu Nov 20 2003 Thomas Backlund 2.0-0.3mdk - rc3 * Thu Sep 18 2003 Thomas Backlund 2.0-0.2mdk - move devfs checks to %post from makefile * Wed Sep 17 2003 Thomas Backlund 2.0-0.1mdk - initial cooker contrib - gradm 2.0-rc2 - spec based on 1.9.9d rpm package by Oden Eriksson that never got uploaded due to kernel mismatch