Hello community, here is the log from the commit of package microos-tools for openSUSE:Factory checked in at 2020-08-14 09:31:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/microos-tools (Old) and /work/SRC/openSUSE:Factory/.microos-tools.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "microos-tools" Fri Aug 14 09:31:52 2020 rev:9 rq:826036 version:2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/microos-tools/microos-tools.changes 2020-08-06 10:38:44.554018537 +0200 +++ /work/SRC/openSUSE:Factory/.microos-tools.new.3399/microos-tools.changes 2020-08-14 09:33:00.976388798 +0200 @@ -1,0 +2,11 @@ +Wed Aug 12 07:32:04 UTC 2020 - Thorsten Kukuk <[email protected]> + +- Update to version 2.3 + - overwrite tmp.mount options with SELinux label for /tmp + - Add generator to label mount points if required + - Add dracut module to relabel core system if required + - Add locale-check to reset locale to system default if the one + set by SSH does not exist [bsc#1156175] + - Set TMPDIR for salt to not use /tmp (preparation for noexec) + +------------------------------------------------------------------- Old: ---- microos-tools-2.2.tar.xz New: ---- microos-tools-2.3.tar.xz microos-tools-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ microos-tools.spec ++++++ --- /var/tmp/diff_new_pack.8OemyU/_old 2020-08-14 09:33:02.004389325 +0200 +++ /var/tmp/diff_new_pack.8OemyU/_new 2020-08-14 09:33:02.004389325 +0200 @@ -17,19 +17,20 @@ Name: microos-tools -Version: 2.2 +Version: 2.3 Release: 0 Summary: Files and Scripts for openSUSE MicroOS License: GPL-2.0-or-later Group: Development/Tools/Other URL: https://github.com/kubic-project/microos-tools Source: microos-tools-%{version}.tar.xz +Source99: microos-tools-rpmlintrc BuildRequires: distribution-release BuildRequires: pkgconfig +BuildRequires: pkgconfig(dracut) BuildRequires: pkgconfig(systemd) Requires: read-only-root-fs Conflicts: systemd-coredump -BuildArch: noarch %description Files, scripts and directories for openSUSE Kubic. @@ -45,30 +46,48 @@ %make_install %pre -%service_add_pre setup-systemd-proxy-env.service +%service_add_pre setup-systemd-proxy-env.service printenv.service %post -%service_add_post setup-systemd-proxy-env.service +%regenerate_initrd_post +%service_add_post setup-systemd-proxy-env.service printenv.service %preun -%service_del_preun setup-systemd-proxy-env.service +%service_del_preun setup-systemd-proxy-env.service printenv.service %postun -%service_del_postun setup-systemd-proxy-env.service +%regenerate_initrd_post +%service_del_postun setup-systemd-proxy-env.service printenv.service + +%posttrans +%regenerate_initrd_posttrans %files %license COPYING -%config %{_sysconfdir}/systemd/system/systemd-firstboot.service +%dir %{_sysconfdir}/selinux +%config %{_sysconfdir}/selinux/fixfiles_exclude_dirs %dir %{_sysconfdir}/systemd %dir %{_sysconfdir}/systemd/system +%config %{_sysconfdir}/systemd/system/systemd-firstboot.service %{_unitdir}/MicroOS-firstboot.service %{_unitdir}/printenv.service %{_unitdir}/setup-systemd-proxy-env.path %{_unitdir}/setup-systemd-proxy-env.service %dir %{_unitdir}/sysinit.target.wants %{_unitdir}/sysinit.target.wants/MicroOS-firstboot.service -%{_prefix}/lib/sysctl.d/30-corefiles.conf +%dir %{_unitdir}/tmp.mount.d +%{_unitdir}/tmp.mount.d/selinux.conf +%dir %{_unitdir}/salt-minion.service.d +%{_unitdir}/salt-minion.service.d/TMPDIR.conf +%{_tmpfilesdir}/salt-minion-tmpdir.conf +%{_sysctldir}/30-corefiles.conf %{_libexecdir}/MicroOS-firstboot %{_sbindir}/setup-systemd-proxy-env +%dir %{_prefix}/lib/dracut +%dir %{_prefix}/lib/dracut/modules.d +%{_prefix}/lib/dracut/modules.d/98selinux-microos +%{_systemdgeneratordir}/selinux-autorelabel-generator +%config %{_sysconfdir}/profile.d/ssh-locale-check.sh +%{_bindir}/locale-check %changelog ++++++ microos-tools-2.2.tar.xz -> microos-tools-2.3.tar.xz ++++++ ++++ 5546 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/Makefile.am new/microos-tools-2.3/Makefile.am --- old/microos-tools-2.2/Makefile.am 2020-07-29 13:08:17.000000000 +0200 +++ new/microos-tools-2.3/Makefile.am 2020-08-12 09:21:16.000000000 +0200 @@ -1,6 +1,7 @@ AUTOMAKE_OPTIONS = 1.6 foreign check-news dist-xz -SUBDIRS = firstboot systemd-proxy-env systemd-printenv sysctl +SUBDIRS = firstboot systemd-proxy-env systemd-printenv systemd-tmpfs \ + selinux sysctl locale-check CLEANFILES = *~ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/NEWS new/microos-tools-2.3/NEWS --- old/microos-tools-2.2/NEWS 2020-07-29 13:11:42.000000000 +0200 +++ new/microos-tools-2.3/NEWS 2020-08-12 10:59:29.000000000 +0200 @@ -1,3 +1,11 @@ +Version 2.3 + - override tmp.mount option to set correct SELinux label for /tmp + - Prepare "noexec" for tmp.mount + - Override TMPDIR for salt to not exec things in /tmp + - Add selinux dracut module to relabel system at bootup + - Add locale-check to reset locale to system default if the one + set by SSH does not exist [bsc#1156175] + Version 2.2 - tmp.mount is provided now by systemd diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/README.md new/microos-tools-2.3/README.md --- old/microos-tools-2.2/README.md 2020-07-29 13:08:17.000000000 +0200 +++ new/microos-tools-2.3/README.md 2020-08-12 10:58:54.000000000 +0200 @@ -1,6 +1,27 @@ # MicroOS Tools Files and scripts for openSUSE MicroOS +## /tmp on tmpfs with noexec flag + +MicroOS will use tmpfs for /tmp with noexec flag set in the future. +For this reasons, salt-minion will write it's temporary files into +/run/salt-tmp. +In general, daemons should use private disk space for their data +and not shared one in /tmp. + +## SELinux + +MicroOS has preliminary support for SELinux. +If the file `/etc/selinux/.autorelabel` exists, the dracut module +`98selinux-microos` will label the root filesystem including +`/etc` and `/var`. + +## locale-check + +MicroOS supports only a limited number of locales (C, C.utf8, en_US.utf8, +POSIX). If you login via SSH, the locale settings will be verified that +they exist on this system. If not, locale is reset to the system default. + ## systemd services ### setup-systemd-proxy-env.service @@ -12,3 +33,4 @@ The `printenv.service` is to debug which environment variables exist by default. It just calls `printenv`. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/compile new/microos-tools-2.3/compile --- old/microos-tools-2.2/compile 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/compile 2020-08-12 09:24:46.000000000 +0200 @@ -0,0 +1,348 @@ +#! /bin/sh +# Wrapper for compilers which do not understand '-c -o'. + +scriptversion=2016-01-11.22; # UTC + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# Written by Tom Tromey <[email protected]>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <[email protected]> or send patches to +# <[email protected]>. + +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: compile [--help] [--version] PROGRAM [ARGS] + +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining +arguments, and rename the output as expected. + +If you are trying to build a whole package this is not the +right script to run: please start by reading the file 'INSTALL'. + +Report bugs to <[email protected]>. +EOF + exit $? + ;; + -v | --v*) + echo "compile $scriptversion" + exit $? + ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; +esac + +ofile= +cfile= + +for arg +do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. + eat=1 + case $2 in + *.o | *.obj) + ofile=$2 + ;; + *) + set x "$@" -o "$2" + shift + ;; + esac + ;; + *.c) + cfile=$1 + set x "$@" "$1" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift +done + +if test -z "$ofile" || test -z "$cfile"; then + # If no '-o' option was seen then we might have been invoked from a + # pattern rule where we don't need one. That is ok -- this is a + # normal compilation that the losing compiler can handle. If no + # '.c' file was seen then we are probably linking. That is also + # ok. + exec "$@" +fi + +# Name of file we expect compiler to create. +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` + +# Create the lock directory. +# Note: use '[/\\:.-]' here to ensure that we don't use the same name +# that we are using for the .o file. Also, base the name on the expected +# object file name, since that is what matters with a parallel build. +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d +while true; do + if mkdir "$lockdir" >/dev/null 2>&1; then + break + fi + sleep 1 +done +# FIXME: race condition here if user kills between mkdir and trap. +trap "rmdir '$lockdir'; exit 1" 1 2 15 + +# Run the compile. +"$@" +ret=$? + +if test -f "$cofile"; then + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" +elif test -f "${cofile}bj"; then + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" +fi + +rmdir "$lockdir" +exit $ret + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/configure.ac new/microos-tools-2.3/configure.ac --- old/microos-tools-2.2/configure.ac 2020-07-29 13:11:24.000000000 +0200 +++ new/microos-tools-2.3/configure.ac 2020-08-12 09:25:52.000000000 +0200 @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT(microos-tools, 2.2) +AC_INIT(microos-tools, 2.3) AM_INIT_AUTOMAKE AC_PREFIX_DEFAULT(/usr) @@ -8,6 +8,12 @@ PKG_CHECK_VAR([systemdsystemunitdir], [systemd], [systemdsystemunitdir], [], [AC_MSG_ERROR([Could not determine value for 'systemdsystemunitdir' - is the 'systemd.pc' file installed?])]) +PKG_CHECK_VAR([tmpfilesdir], [systemd], [tmpfilesdir], [], + [AC_MSG_ERROR([Could not determine value for 'tmpfilesdir' - is the 'systemd.pc' file installed?])]) +PKG_CHECK_VAR([systemdgeneratordir], [systemd], [systemdsystemgeneratordir], [], + [AC_MSG_ERROR([Could not determine value for 'systemdsystemgeneratordir' - is the 'systemd.pc' file installed?])]) +PKG_CHECK_VAR([dracutmodulesdir], [dracut], [dracutmodulesdir], [], + [AC_MSG_ERROR([Could not determine value for 'dracutmodulesdir' - is the 'dracut.pc' file installed?])]) if test "${exec_prefix}" = "NONE" then @@ -17,9 +23,11 @@ fi AC_SUBST(SYSCTLDIR) +AC_PROG_CC AC_PROG_INSTALL AC_PROG_LN_S AC_OUTPUT([Makefile firstboot/Makefile firstboot/MicroOS-firstboot.service \ systemd-proxy-env/Makefile systemd-printenv/Makefile \ - sysctl/Makefile]) + systemd-tmpfs/Makefile sysctl/Makefile selinux/Makefile \ + locale-check/Makefile]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/locale-check/Makefile.am new/microos-tools-2.3/locale-check/Makefile.am --- old/microos-tools-2.2/locale-check/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/locale-check/Makefile.am 2020-08-12 09:23:40.000000000 +0200 @@ -0,0 +1,7 @@ +profileddir = @sysconfdir@/profile.d + +profiled_DATA = ssh-locale-check.sh + +EXTRA_DIST = $(DATA) + +bin_PROGRAMS = locale-check diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/locale-check/locale-check.c new/microos-tools-2.3/locale-check/locale-check.c --- old/microos-tools-2.2/locale-check/locale-check.c 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/locale-check/locale-check.c 2020-08-12 08:27:00.000000000 +0200 @@ -0,0 +1,82 @@ +/* From base-files-11ubuntu5.1 */ + +#include <locale.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +char *help = "locale-check DEFAULT_LOCALE\n" + "\n" + "Check that the various locale-related environment variables contain\n" + "values that can be set. Output shell that can be passed to eval to\n" + "set any invalid environment variables to DEFAULT_LOCALE\n"; + +static void usage(void) { + fprintf(stderr, "%s", help); + exit(1); +} + +static void check(int category, char* varname, char* defvalue) { + if (getenv(varname) != NULL) { + if (setlocale(category, "") == NULL) { + printf("%s=%s\n", varname, defvalue); + } + } +} + +#define SINGLEQUOTE '\'' +#define BACKSLASH '\\' + +/* Quote 'val' for shell */ +static char *quote(char* val) { + /* This implementation single quotes val and replaces single quotes + with SINGLEQUOTE BACKSLASH SINGLEQUOTE SINGLEQUOTE. The worst + case is that val is entirely single quotes, in which case each + character of the input becomes 4 bytes. Then 3 bytes for + surrounding quotes and terminating NUL. */ + char *ret = malloc(strlen(val)*4+3); + char *source = val; + char *dest = ret; + + *dest++ = SINGLEQUOTE; + while (*source) { + if (*source == SINGLEQUOTE) { + *dest++ = SINGLEQUOTE; + *dest++ = BACKSLASH; + *dest++ = SINGLEQUOTE; + } + *dest++ = *source++; + } + *dest++ = SINGLEQUOTE; + *dest++ = 0; + return ret; +} + +#define CHECK(cat, def) check(cat, #cat, def); + +int main(int argc, char** argv) { + char *defval; + if (argc != 2) { + usage(); + } + defval = quote(argv[1]); + /* setlocale will never consult LANG if LC_ALL is set */ + if (getenv("LC_ALL") == NULL) { + check(LC_ALL, "LANG", defval); + } else { + CHECK(LC_ALL, defval); + } + CHECK(LC_ADDRESS, defval); + CHECK(LC_COLLATE, defval); + CHECK(LC_CTYPE, defval); + CHECK(LC_IDENTIFICATION, defval); + CHECK(LC_MEASUREMENT, defval); + CHECK(LC_MESSAGES, defval); + CHECK(LC_MONETARY, defval); + CHECK(LC_NAME, defval); + CHECK(LC_NUMERIC, defval); + CHECK(LC_PAPER, defval); + CHECK(LC_TELEPHONE, defval); + CHECK(LC_TIME, defval); + return 0; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/locale-check/ssh-locale-check.sh new/microos-tools-2.3/locale-check/ssh-locale-check.sh --- old/microos-tools-2.2/locale-check/ssh-locale-check.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/locale-check/ssh-locale-check.sh 2020-08-12 09:15:02.000000000 +0200 @@ -0,0 +1,14 @@ +# +# locale-check.sh: Verify that the locale SSH did set is valid, +# else reset to the system default. +# + +# Only check locale if it did got set by SSH +test -z "$SSH_SENDS_LOCALE" && return + +_SYSTEM_DEFAULT_LANG=C.UTF-8 +if [ -s /etc/locale.conf ]; then + eval "$(sed -rn -e 's/^(LANG)=/_SYSTEM_DEFAULT_\1=/p' < /etc/locale.conf)" +fi +# Make sure the locale variables are set to valid values. +eval "$(/usr/bin/locale-check ${_SYSTEM_DEFAULT_LANG})" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/selinux/98selinux-microos/module-setup.sh new/microos-tools-2.3/selinux/98selinux-microos/module-setup.sh --- old/microos-tools-2.2/selinux/98selinux-microos/module-setup.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/selinux/98selinux-microos/module-setup.sh 2020-08-03 21:11:39.000000000 +0200 @@ -0,0 +1,18 @@ +#!/bin/bash + +# called by dracut +check() { + test -f /etc/selinux/config || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_hook pre-pivot 50 "$moddir/selinux-microos-relabel.sh" + inst_multiple setenforce +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/selinux/98selinux-microos/selinux-microos-relabel.sh new/microos-tools-2.3/selinux/98selinux-microos/selinux-microos-relabel.sh --- old/microos-tools-2.2/selinux/98selinux-microos/selinux-microos-relabel.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/selinux/98selinux-microos/selinux-microos-relabel.sh 2020-08-10 11:45:28.000000000 +0200 @@ -0,0 +1,65 @@ +#!/bin/sh + +rd_microos_relabel() +{ + # If SELinux is disabled exit now + getarg "selinux=0" > /dev/null && return 0 + + SELINUX="enforcing" + [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" + + if [ "$SELINUX" = "disabled" ]; then + return 0; + fi + + # We need to load a SELinux policy to label the filesystem + if [ -x "$NEWROOT/usr/sbin/load_policy" ]; then + ret=0 + info "Loading SELinux policy" + + for sysdir in /proc /sys /dev; do + if ! mount --rbind "${sysdir}" "${NEWROOT}${sysdir}" ; then + warn "ERROR: mounting ${sysdir} failed!" + ret=1 + fi + done + if [ $ret -eq 0 ]; then + # load_policy does mount /proc and /sys/fs/selinux in + # libselinux,selinux_init_load_policy() + if [ -x "$NEWROOT/sbin/load_policy" ]; then + out=$(LANG=C chroot "$NEWROOT" /sbin/load_policy -i 2>&1) + ret=$? + info "$out" + else + out=$(LANG=C chroot "$NEWROOT" /usr/sbin/load_policy -i 2>&1) + ret=$? + info "$out" + fi + + if [ $ret -eq 0 ]; then + #LANG=C /usr/sbin/setenforce 0 + mount -o remount,rw "$NEWROOT" + LANG=C chroot "$NEWROOT" /sbin/restorecon -R -e /var/lib/overlay / + rm -f "$NEWROOT"/.autorelabel + rm -f "$NEWROOT"/etc/sysconfig/.autorelabel + mount -o remount,ro "$NEWROOT" + fi + fi + for sysdir in /proc /sys /dev; do + if ! umount -R "${NEWROOT}${sysdir}" ; then + warn "ERROR: unmounting ${sysdir} failed!" + ret=1 + fi + done + + return $ret + fi +} + +if test -f "$NEWROOT"/etc/selinux/.autorelabel; then + rd_microos_relabel +elif getarg "autorelabel" > /dev/null; then + rd_microos_relabel +fi + +return 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/selinux/Makefile.am new/microos-tools-2.3/selinux/Makefile.am --- old/microos-tools-2.2/selinux/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/selinux/Makefile.am 2020-08-08 17:46:37.000000000 +0200 @@ -0,0 +1,11 @@ +modulesdir = @dracutmodulesdir@/98selinux-microos +selinuxdir = @sysconfdir@/selinux + +modules_SCRIPTS = 98selinux-microos/selinux-microos-relabel.sh \ + 98selinux-microos/module-setup.sh + +selinux_DATA = fixfiles_exclude_dirs + +systemdgenerator_SCRIPTS = selinux-autorelabel-generator + +EXTRA_DIST = $(SCRIPTS) $(DATA) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/selinux/fixfiles_exclude_dirs new/microos-tools-2.3/selinux/fixfiles_exclude_dirs --- old/microos-tools-2.2/selinux/fixfiles_exclude_dirs 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/selinux/fixfiles_exclude_dirs 2020-08-05 18:46:37.000000000 +0200 @@ -0,0 +1 @@ +/var/lib/overlay diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/selinux/selinux-autorelabel-generator new/microos-tools-2.3/selinux/selinux-autorelabel-generator --- old/microos-tools-2.2/selinux/selinux-autorelabel-generator 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/selinux/selinux-autorelabel-generator 2020-08-11 17:16:11.000000000 +0200 @@ -0,0 +1,49 @@ +#!/bin/sh + +# This systemd.generator(7) detects if SELinux is running and if the +# user requested an autorelabel. If so, services will be enabled to +# run after subvolumes and partitions are mounted before local-fs.target +# is reached. + +# If invoked with no arguments (for testing) write to /tmp. +generatordir="/tmp" +if [ -n "$1" ]; then + generatordir="$1" +fi + +enable_units() { + mkdir -p "${generatordir}"/local-fs.target.requires + + for realdir in ".snapshots" "home" "opt" "root" "srv" "usr/local" \ + "boot/grub2/i386-pc" "boot/grub2/x86_64-efi" \ + "boot/grub2/arm64-efi" "boot/writable"; do + # Make sure the directory exist, else we create + # services for non existing mount points + test -d "/${realdir}" || continue + mountunit=$(systemd-escape --path ${realdir}) + unitfile="${mountunit}-relabel.service" + + { + echo "[Unit]"; + echo "Description=Relabel ${realdir}"; + echo "DefaultDependencies=no"; + echo "After=${mountunit}.mount"; + echo "Before=local-fs.target"; + echo "ConditionSecurity=selinux"; + echo ""; + echo "[Service]"; + echo "Type=oneshot"; + echo "ExecStart=/sbin/restorecon -R /${realdir}"; } > "${generatordir}"/"${unitfile}" + + ln -sf ../"${unitfile}" "${generatordir}"/local-fs.target.requires/"${unitfile}" + done +} + +if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then + if test -f /etc/selinux/.autorelabel; then + enable_units + rm -f /etc/selinux/.autorelabel + elif grep -sqE "\bautorelabel\b" /proc/cmdline; then + enable_units + fi +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/systemd-tmpfs/Makefile.am new/microos-tools-2.3/systemd-tmpfs/Makefile.am --- old/microos-tools-2.2/systemd-tmpfs/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/systemd-tmpfs/Makefile.am 2020-08-03 14:58:47.000000000 +0200 @@ -0,0 +1,9 @@ +systemddir = $(systemdsystemunitdir) +tmpmountdir = $(systemdsystemunitdir)/tmp.mount.d +saltminiondir = $(systemdsystemunitdir)/salt-minion.service.d + +tmpmount_DATA = tmp.mount/selinux.conf +tmpfiles_DATA = salt-minion/salt-minion-tmpdir.conf +saltminion_DATA = salt-minion/TMPDIR.conf + +EXTRA_DIST = $(DATA) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/systemd-tmpfs/salt-minion/TMPDIR.conf new/microos-tools-2.3/systemd-tmpfs/salt-minion/TMPDIR.conf --- old/microos-tools-2.2/systemd-tmpfs/salt-minion/TMPDIR.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/systemd-tmpfs/salt-minion/TMPDIR.conf 2020-08-03 14:56:10.000000000 +0200 @@ -0,0 +1,2 @@ +[Service] +Environment="TMPDIR=/run/salt-tmp/" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/systemd-tmpfs/salt-minion/salt-minion-tmpdir.conf new/microos-tools-2.3/systemd-tmpfs/salt-minion/salt-minion-tmpdir.conf --- old/microos-tools-2.2/systemd-tmpfs/salt-minion/salt-minion-tmpdir.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/systemd-tmpfs/salt-minion/salt-minion-tmpdir.conf 2020-08-03 14:51:07.000000000 +0200 @@ -0,0 +1 @@ +d /run/salt-tmp 0750 root root diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/microos-tools-2.2/systemd-tmpfs/tmp.mount/selinux.conf new/microos-tools-2.3/systemd-tmpfs/tmp.mount/selinux.conf --- old/microos-tools-2.2/systemd-tmpfs/tmp.mount/selinux.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/microos-tools-2.3/systemd-tmpfs/tmp.mount/selinux.conf 2020-07-30 17:26:31.000000000 +0200 @@ -0,0 +1,2 @@ +[Mount] +Options=mode=1777,strictatime,nosuid,nodev,rootcontext=system_u:object_r:tmp_t:s0 ++++++ microos-tools-rpmlintrc ++++++ addFilter('suse-filelist-forbidden-systemd-userdirs') addFilter('systemd-unit-in-etc') addFilter('dangling-symlink') addFilter('postin-without-tmpfile-creation') addFilter('tmpfile-not-in-filelist') addFilter('suse-missing-rclink') addFilter('.*W: systemd-service-without-service.*MicroOS-firstboot.service.*')
