Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 865668 Details for
Bug 1067119
strongimcv is not built with full hardening (full relro and PIE)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
The changes to spec file to enable full hardening and modified file permissions and some other changes.
strongimcv-specfile.patch (text/plain), 6.24 KB, created by
Avesh Agarwal
on 2014-02-20 20:06:09 UTC
(
hide
)
Description:
The changes to spec file to enable full hardening and modified file permissions and some other changes.
Filename:
MIME Type:
Creator:
Avesh Agarwal
Created:
2014-02-20 20:06:09 UTC
Size:
6.24 KB
patch
obsolete
>diff --git a/strongimcv.spec b/strongimcv.spec >index 8287b9b..deab4ef 100644 >--- a/strongimcv.spec >+++ b/strongimcv.spec >@@ -1,9 +1,9 @@ >-%global hardened_build 1 >+%global _hardened_build 1 > %global name2 strongswan > > Name: strongimcv > Version: 5.1.1 >-Release: 3%{?dist} >+Release: 4%{?dist} > Summary: Trusted Network Connect (TNC) Architecture > Group: Applications/System > License: GPLv2+ >@@ -15,8 +15,9 @@ Patch2: libstrongswan-plugin.patch > Patch3: libstrongswan-settings-debug.patch > Patch4: libstrongswan-973315.patch > Patch5: strongswan-1036844.patch >+Patch6: strongimcv-systemd-service.patch > >-BuildRequires: gmp-devel autoconf automake >+BuildRequires: autoconf automake > BuildRequires: libcurl-devel > BuildRequires: openssl-devel > BuildRequires: sqlite-devel >@@ -38,11 +39,12 @@ Requires(preun): initscripts > %description > This package provides Trusted Network Connect's (TNC) architecture support. > It includes support for TNC client and server (IF-TNCCS), IMC and IMV message >-exchange (IF-M), interface between IMC/IMV and TNC client/server (IF-IMC and IF-IMV). >-It also includes PTS based IMC/IMV for TPM based remote attestation, SWID IMC/IMV, >-and OS IMC/IMV. It's IMC/IMV dynamic libraries modules can be used by any third party >-TNC Client/Server implementation possessing a standard IF-IMC/IMV interface. In >-addition, it implements PT-TLS to support TNC over TLS. >+exchange (IF-M), interface between IMC/IMV and TNC client/server (IF-IMC >+and IF-IMV). It also includes PTS based IMC/IMV for TPM based remote >+attestation, SWID IMC/IMV, and OS IMC/IMV. It's IMC/IMV dynamic libraries >+modules can be used by any third party TNC Client/Server implementation >+possessing a standard IF-IMC/IMV interface. In addition, it implements >+PT-TLS to support TNC over TLS. > > This package has disabled it's IKE features as those are not supported. > >@@ -54,6 +56,7 @@ This package has disabled it's IKE features as those are not supported. > %patch3 -p1 > %patch4 -p1 > %patch5 -p1 >+%patch6 -p1 > > %build > # for initscript patch to work >@@ -123,17 +126,19 @@ done > rm %{buildroot}%{_libdir}/%{name}/*.so > find %{buildroot} -type f -name '*.la' -delete > # fix config permissions >-chmod 644 %{buildroot}%{_sysconfdir}/%{name}/%{name2}.conf >+#chmod 644 %{buildroot}%{_sysconfdir}/%{name}/%{name2}.conf > # protect configuration from ordinary user's eyes >-chmod 700 %{buildroot}%{_sysconfdir}/%{name} >+#chmod 700 %{buildroot}%{_sysconfdir}/%{name} > # setup systemd unit or initscript > %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 > mv %{buildroot}%{_unitdir}/%{name2}.service %{buildroot}%{_unitdir}/%{name}.service > %else > install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} > %endif >-#rename /usr/bin/pki to avoid conflict with pki-core/pki-tools >-mv %{buildroot}%{_bindir}/pki %{buildroot}%{_bindir}/%{name}-pki >+##rename /usr/bin/pki to avoid conflict with pki-core/pki-tools >+#mv %{buildroot}%{_bindir}/pki %{buildroot}%{_bindir}/%{name}-pki >+#move /usr/bin/pki to avoid conflict with pki-core/pki-tools >+mv %{buildroot}%{_bindir}/pki %{buildroot}%{_libexecdir}/%{name}/pki > #rename swid tag directory > mv %{buildroot}%{_datadir}/regid.2004-03.org.%{name2} %{buildroot}%{_datadir}/regid.2004-03.org.%{name} > >@@ -170,13 +175,12 @@ fi > %else > %endif > >- > %files > %doc README COPYING NEWS TODO >-%dir %{_sysconfdir}/%{name} >+%attr(755,root,root) %dir %{_sysconfdir}/%{name} > %{_sysconfdir}/%{name}/ipsec.d/ >-%config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf >-%config(noreplace) %{_sysconfdir}/%{name}/%{name2}.conf >+%config(noreplace) %attr(644,root,root) %{_sysconfdir}/%{name}/ipsec.conf >+%config(noreplace) %attr(644,root,root) %{_sysconfdir}/%{name}/%{name2}.conf > %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 > %{_unitdir}/%{name}.service > %else >@@ -210,15 +214,16 @@ fi > %{_libdir}/%{name}/plugins/lib%{name2}-stroke.so > %{_libdir}/%{name}/plugins/lib%{name2}-x509.so > %{_libdir}/%{name}/plugins/lib%{name2}-curl.so >-%dir %{_libexecdir}/%{name} >-%{_libexecdir}/%{name}/_copyright >-%{_libexecdir}/%{name}/charon >-%{_libexecdir}/%{name}/openac >-%{_libexecdir}/%{name}/scepclient >-%{_libexecdir}/%{name}/starter >-%{_libexecdir}/%{name}/stroke >-%{_bindir}/%{name}-pki >-%{_sbindir}/%{name} >+%attr(700,root,root) %dir %{_libexecdir}/%{name} >+%attr(700,root,root) %{_libexecdir}/%{name}/_copyright >+%attr(700,root,root) %{_libexecdir}/%{name}/charon >+%attr(700,root,root) %{_libexecdir}/%{name}/openac >+%attr(700,root,root) %{_libexecdir}/%{name}/scepclient >+%attr(700,root,root) %{_libexecdir}/%{name}/starter >+%attr(700,root,root) %{_libexecdir}/%{name}/stroke >+%attr(700,root,root) %{_libexecdir}/%{name}/pki >+#%{_bindir}/%{name}-pki >+%attr(700,root,root) %{_sbindir}/%{name} > %{_mandir}/man1/%{name}_pki*.1.gz > %{_mandir}/man5/%{name}_%{name2}.conf.5.gz > %{_mandir}/man8/%{name}.8.gz >@@ -252,17 +257,30 @@ fi > %{_libdir}/%{name}/plugins/lib%{name2}-tnccs-dynamic.so > %{_libdir}/%{name}/plugins/lib%{name2}-tnc-ifmap.so > %{_libdir}/%{name}/plugins/lib%{name2}-tnc-pdp.so >-%{_libexecdir}/%{name}/_imv_policy >-%{_libexecdir}/%{name}/imv_policy_manager >-%{_libexecdir}/%{name}/attest >-%{_libexecdir}/%{name}/pacman >-%{_libexecdir}/%{name}/pt-tls-client >+%attr(700,root,root) %{_libexecdir}/%{name}/_imv_policy >+%attr(700,root,root) %{_libexecdir}/%{name}/imv_policy_manager >+%attr(700,root,root) %{_libexecdir}/%{name}/attest >+%attr(700,root,root) %{_libexecdir}/%{name}/pacman >+%attr(700,root,root) %{_libexecdir}/%{name}/pt-tls-client > #swid files > %{_libexecdir}/%{name}/*.swidtag > %dir %{_datadir}/regid.2004-03.org.%{name} > %{_datadir}/regid.2004-03.org.%{name}/*.swidtag > > %changelog >+* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-4 >+Resolves:#1067119 >+- Fixed full hardening for strongswan (full relro and PIE). >+ The previous macros had a typo and did not work >+ (see bz#1067119). >+- Fixed files permissions for executables and config files to >+ correctly reflect their intent. >+- Fixed tnc package description to eliminate rpmlint errors. >+- Fixed pki binary and moved it to /usr/libexece/strongswan as >+ others binaries are there too to eliminate rpmlint errors. >+- Fixed systemd service name to "strongimv TNC". >+- Removed the dependency on gmp-devel >+ > * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 5.1.1-3 > - Mass rebuild 2014-01-24 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=865668">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1067119
:
865177
| 865668 |
865669