import openwsman-2.7.2-5.el10

b8724393 · Rocky Automation · b8724393 · b8724393 · b8724393 · b8724393
Commit b8724393 authored 1 year ago by Rocky Automation
--- a/.openwsman.checksum
+++ b/.openwsman.checksum
+Direct Git Import
--- a/.openwsman.metadata
+++ b/.openwsman.metadata
+9fd2fdef84c2f85e47d301c4f3d4fd8603bb663a14590cf1aaba1268fbf071f5 SOURCES/openwsmand.8.gz
+f916b20956a64426c60a34fa2eaf2c8a13c7047ea2d2585329a6f33e00113be1 SOURCES/v2.7.2.tar.gz
--- a/SOURCES/openwsman-2.4.0-pamsetup.patch
+++ b/SOURCES/openwsman-2.4.0-pamsetup.patch
+diff -up openwsman-2.6.8/etc/pam/openwsman.orig openwsman-2.6.8/etc/pam/openwsman
+--- openwsman-2.6.8/etc/pam/openwsman.orig	2018-11-21 13:51:52.776325243 +0100
+++ openwsman-2.6.8/etc/pam/openwsman	2018-11-21 13:54:17.066351134 +0100
+@@ -2,6 +2,6 @@
+ auth       required	pam_unix.so	nullok
+ auth       required	pam_nologin.so
+ account    required	pam_unix.so
+-password   required	pam_cracklib.so	nullok
+-password   required	pam_unix.so	nullok use_first_pass use_authtok nis shadow
+-session    required	pam_unix.so	none
+password   required	pam_pwquality.so
+password   required	pam_unix.so	nullok use_first_pass use_authtok
+session    required	pam_unix.so
--- a/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
+++ b/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
+diff -up openwsman-2.7.2/bindings/ruby/extconf.rb.orig openwsman-2.7.2/bindings/ruby/extconf.rb
+--- openwsman-2.7.2/bindings/ruby/extconf.rb.orig	2022-12-28 16:43:03.000000000 +0100
+++ openwsman-2.7.2/bindings/ruby/extconf.rb	2023-08-09 12:50:21.361216733 +0200
+@@ -32,7 +32,7 @@ swig = find_executable("swig")
+ raise "SWIG not found" unless swig
+ 
+ major, minor, path = RUBY_VERSION.split(".")
+-raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -o openwsman_wrap.c openwsman.i")
+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.7.2/include/ -o openwsman_wrap.c openwsman.i")
+ 
+ $CPPFLAGS = "-I/usr/include/openwsman -I.."
+ 
--- a/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
+++ b/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
+diff -up openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig openwsman-2.7.0/src/server/shttpd/compat_unix.h
+--- openwsman-2.7.0/src/server/shttpd/compat_unix.h.orig	2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/compat_unix.h	2021-03-09 09:15:26.750942006 +0100
+@@ -27,10 +27,6 @@
+ 	pthread_create(&tid, NULL, (void *(*)(void *))a, c); } while (0)
+ #endif /* !NO_THREADS */
+ 
+-#ifndef SSL_LIB
+-#define	SSL_LIB				"libssl.so"
+-#endif
+-
+ #define	DIRSEP				'/'
+ #define	IS_DIRSEP_CHAR(c)		((c) == '/')
+ #define	O_BINARY			0
+diff -up openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig openwsman-2.7.0/src/server/shttpd/io_ssl.c
+--- openwsman-2.7.0/src/server/shttpd/io_ssl.c.orig	2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/io_ssl.c	2021-03-09 09:15:26.750942006 +0100
+@@ -11,28 +11,6 @@
+ #include "defs.h"
+ 
+ #if !defined(NO_SSL)
+-struct ssl_func	ssl_sw[] = {
+-	{"SSL_free",			{0}},
+-	{"SSL_accept",			{0}},
+-	{"SSL_connect",			{0}},
+-	{"SSL_read",			{0}},
+-	{"SSL_write",			{0}},
+-	{"SSL_get_error",		{0}},
+-	{"SSL_set_fd",			{0}},
+-	{"SSL_new",			{0}},
+-	{"SSL_CTX_new",			{0}},
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-	{"SSLv23_server_method",	{0}},
+-	{"SSL_library_init",		{0}},
+-#else
+-	{"TLS_server_method",	{0}},
+-	{"OPENSSL_init_ssl",		{0}},
+-#endif
+-	{"SSL_CTX_use_PrivateKey_file",	{0}},
+-	{"SSL_CTX_use_certificate_file",{0}},
+-	{NULL,				{0}}
+-};
+-
+ void
+ _shttpd_ssl_handshake(struct stream *stream)
+ {
+diff -up openwsman-2.7.0/src/server/shttpd/shttpd.c.orig openwsman-2.7.0/src/server/shttpd/shttpd.c
+--- openwsman-2.7.0/src/server/shttpd/shttpd.c.orig	2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/shttpd.c	2021-03-09 09:16:58.843241510 +0100
+@@ -1489,25 +1489,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+ 	int		retval = FALSE;
+ 	EC_KEY*		key;
+ 
+-	/* Load SSL library dynamically */
+-	if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) {
+-		_shttpd_elog(E_LOG, NULL, "set_ssl: cannot load %s", SSL_LIB);
+-		return (FALSE);
+-	}
+-
+-	for (fp = ssl_sw; fp->name != NULL; fp++)
+-		if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) {
+-			_shttpd_elog(E_LOG, NULL,"set_ssl: cannot find %s", fp->name);
+-			return (FALSE);
+-		}
+-
+ 	/* Initialize SSL crap */
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
+ 	if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
+ #else
+-        OPENSSL_init_ssl();
+        OPENSSL_init_ssl(0, NULL);
+ 	if ((CTX = SSL_CTX_new(TLS_server_method())) == NULL)
+ #endif
+ 		_shttpd_elog(E_LOG, NULL, "SSL_CTX_new error");
+diff -up openwsman-2.7.0/src/server/shttpd/ssl.h.orig openwsman-2.7.0/src/server/shttpd/ssl.h
+--- openwsman-2.7.0/src/server/shttpd/ssl.h.orig	2020-05-25 15:16:28.000000000 +0200
+++ openwsman-2.7.0/src/server/shttpd/ssl.h	2021-03-09 09:15:26.750942006 +0100
+@@ -12,55 +12,4 @@
+ 
+ #include <openssl/ssl.h>
+ 
+-#else
+-
+-/*
+- * Snatched from OpenSSL includes. I put the prototypes here to be independent
+- * from the OpenSSL source installation. Having this, shttpd + SSL can be
+- * built on any system with binary SSL libraries installed.
+- */
+-
+-typedef struct ssl_st SSL;
+-typedef struct ssl_method_st SSL_METHOD;
+-typedef struct ssl_ctx_st SSL_CTX;
+-
+-#define	SSL_ERROR_WANT_READ	2
+-#define	SSL_ERROR_WANT_WRITE	3
+-#define	SSL_ERROR_SYSCALL	5
+-#define	SSL_FILETYPE_PEM	1
+-
+-#endif
+-
+-/*
+- * Dynamically loaded SSL functionality
+- */
+-struct ssl_func {
+-	const char	*name;		/* SSL function name	*/
+-	union variant	ptr;		/* Function pointer	*/
+-};
+-
+-extern struct ssl_func	ssl_sw[];
+-
+-#define	FUNC(x)	ssl_sw[x].ptr.v_func
+-
+-#define	SSL_free(x)	(* (void (*)(SSL *)) FUNC(0))(x)
+-#define	SSL_accept(x)	(* (int (*)(SSL *)) FUNC(1))(x)
+-#define	SSL_connect(x)	(* (int (*)(SSL *)) FUNC(2))(x)
+-#define	SSL_read(x,y,z)	(* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z))
+-#define	SSL_write(x,y,z) \
+-	(* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z))
+-#define	SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y))
+-#define	SSL_set_fd(x,y)	(* (int (*)(SSL *, int)) FUNC(6))((x), (y))
+-#define	SSL_new(x)	(* (SSL * (*)(SSL_CTX *)) FUNC(7))(x)
+-#define	SSL_CTX_new(x)	(* (SSL_CTX * (*)(const SSL_METHOD *)) FUNC(8))(x)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-#define	SSLv23_server_method()	(* (SSL_METHOD * (*)(void)) FUNC(9))()
+-#define	SSL_library_init() (* (int (*)(void)) FUNC(10))()
+-#else
+-#define	TLS_server_method()	(* (SSL_METHOD * (*)(void)) FUNC(9))()
+-#define	OPENSSL_init_ssl() (* (int (*)(void)) FUNC(10))()
+ #endif
+-#define	SSL_CTX_use_PrivateKey_file(x,y,z)	(* (int (*)(SSL_CTX *, \
+-		const char *, int)) FUNC(11))((x), (y), (z))
+-#define	SSL_CTX_use_certificate_file(x,y,z)	(* (int (*)(SSL_CTX *, \
+-		const char *, int)) FUNC(12))((x), (y), (z))
--- a/SOURCES/openwsman-2.6.5-http-status-line.patch
+++ b/SOURCES/openwsman-2.6.5-http-status-line.patch
+diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c
+--- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig	2016-07-27 16:03:55.000000000 +0200
+++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c	2018-01-22 13:05:04.478923300 +0100
+@@ -344,6 +344,35 @@ DONE:
+ 	if (fault_reason == NULL) {
+ 		// this is a way to segfault, investigate
+ 		//fault_reason = shttpd_reason_phrase(status);
+		// ugly workaround follows...
+		switch (status) {
+			case 200:
+				fault_reason = "OK";
+				break;
+			case 400:
+				fault_reason = "Bad request";
+				break;
+			case 401:
+				fault_reason = "Unauthorized";
+				break;
+			case 403:
+				fault_reason = "Forbidden";
+				break;
+			case 404:
+				fault_reason = "Not found";
+				break;
+			case 500:
+				fault_reason = "Internal Error";
+				break;
+			case 501:
+				fault_reason = "Not implemented";
+				break;
+			case 415:
+				fault_reason = "Unsupported Media Type";
+				break;
+			default:
+				fault_reason = "";
+		}
+ 	}
+ 	debug("Response status=%d (%s)", status, fault_reason);
+ 
--- a/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
+++ b/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
+diff -up openwsman-2.7.1/etc/ssleay.cnf.orig openwsman-2.7.1/etc/ssleay.cnf
+--- openwsman-2.7.1/etc/ssleay.cnf.orig	2021-11-09 08:27:48.577749509 +0100
+++ openwsman-2.7.1/etc/ssleay.cnf	2021-11-09 08:28:10.499967010 +0100
+@@ -3,7 +3,7 @@
+ #
+ 
+ [ req ]
+-default_bits            = 1024
+default_bits            = 2048
+ default_keyfile         = privkey.pem
+ distinguished_name      = req_distinguished_name
+ 
--- a/SOURCES/openwsman-2.7.2-fix-ftbfs.patch
+++ b/SOURCES/openwsman-2.7.2-fix-ftbfs.patch
+diff -up openwsman-2.7.2/bindings/openwsman.i.orig openwsman-2.7.2/bindings/openwsman.i
+--- openwsman-2.7.2/bindings/openwsman.i.orig	2024-01-22 09:36:42.764721705 +0100
+++ openwsman-2.7.2/bindings/openwsman.i	2024-01-22 09:37:29.970817151 +0100
+@@ -109,7 +109,7 @@ SWIGINTERNINLINE SV *SWIG_From_double  S
+ 
+ %typemap(in) FILE* {
+ #if RUBY_VERSION > 18
+-  struct rb_io_t *fptr;
+  struct rb_io *fptr;
+ #else
+   struct OpenFile *fptr;
+ #endif
--- a/SOURCES/openwsman.fc
+++ b/SOURCES/openwsman.fc
+/usr/lib/systemd/system/openwsmand.*		--	gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand		--	gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.*	--	gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.*	--	gen_context(system_u:object_r:openwsman_run_t,s0)
--- a/SOURCES/openwsman.if
+++ b/SOURCES/openwsman.if
+## <summary>WS-Management Server</summary>
+
+########################################
+## <summary>
+##	Execute openwsman in the openwsman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openwsman_domtrans',`
+	gen_require(`
+		type openwsman_t, openwsman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+## <summary>
+##	Execute openwsman server in the openwsman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openwsman_systemctl',`
+	gen_require(`
+		type openwsman_t;
+		type openwsman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 openwsman_unit_file_t:file read_file_perms;
+	allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openwsman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openwsman_admin',`
+	gen_require(`
+		type openwsman_t;
+	    type openwsman_unit_file_t;
+	')
+
+	allow $1 openwsman_t:process { signal_perms };
+	ps_process_pattern($1, openwsman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 openwsman_t:process ptrace;
+    ')
+
+	openwsman_systemctl($1)
+	admin_pattern($1, openwsman_unit_file_t)
+	allow $1 openwsman_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/SOURCES/openwsman.te
+++ b/SOURCES/openwsman.te
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { accept create_socket_perms listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+    sblim_stream_connect_sfcbd(openwsman_t)
+    sblim_rw_semaphores_sfcbd(openwsman_t)
+    sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+    unconfined_domain(openwsman_t)
+')
+
--- a/SOURCES/openwsmand.service
+++ b/SOURCES/openwsmand.service
+[Unit]
+Description=Openwsman WS-Management Service
+After=syslog.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/openwsmand -S
+ExecStartPre=/etc/openwsman/owsmantestcert.sh
+PIDFile=/var/run/wsmand.pid
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/owsmantestcert.sh
+++ b/SOURCES/owsmantestcert.sh
+#!/bin/bash
+
+if [ ! -f "/etc/openwsman/serverkey.pem" ]; then
+  if [ -f "/etc/ssl/servercerts/servercert.pem" \
+       -a -f "/etc/ssl/servercerts/serverkey.pem" ]; then
+    echo "Using common server certificate /etc/ssl/servercerts/servercert.pem"
+    ln -s /etc/ssl/servercerts/server{cert,key}.pem /etc/openwsman
+    exit 0
+  else
+    echo "FAILED: Starting openwsman server"
+    echo "There is no ssl server key available for openwsman server to use."
+    echo -e "Please generate one with the following script and start the openwsman service again:\n"
+    echo "##################################"
+    echo "/etc/openwsman/owsmangencert.sh"
+    echo "================================="
+    
+    echo "NOTE: The script uses /dev/random device for generating some random bits while generating the server key."
+    echo "      If this takes too long, you can replace the value of \"RANDFILE\" in /etc/openwsman/ssleay.cnf with /dev/urandom. Please understand the implications of replacing the RNADFILE."
+    exit 1
+  fi
+fi
--- a/SPECS/openwsman.spec
+++ b/SPECS/openwsman.spec