commit: 7b1821119f093af1396b20cfd26c24188d5936f1 Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> AuthorDate: Tue Aug 18 04:27:33 2015 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Aug 18 04:29:26 2015 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b182111
sys-process/audit: Remove lock from init script The lock in the init script was only needed in Redhat. OpenRC keeps track of if the process is started so not required. Also fix perms on the systemd unit. Gentoo-Bug: https://bugs.gentoo.org/556436 Gentoo-Bug: https://bugs.gentoo.org/449990 Package-Manager: portage-2.2.20.1 sys-process/audit/audit-2.4.3-r1.ebuild | 225 ++++++++++++++++++++++++++++ sys-process/audit/files/auditd-init.d-2.4.3 | 91 +++++++++++ 2 files changed, 316 insertions(+) diff --git a/sys-process/audit/audit-2.4.3-r1.ebuild b/sys-process/audit/audit-2.4.3-r1.ebuild new file mode 100644 index 0000000..e7284e5 --- /dev/null +++ b/sys-process/audit/audit-2.4.3-r1.ebuild @@ -0,0 +1,225 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="5" + +PYTHON_COMPAT=( python{2_7,3_3,3_4} ) + +inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info eutils systemd + +DESCRIPTION="Userspace utilities for storing and processing auditing records" +HOMEPAGE="http://people.redhat.com/sgrubb/audit/"; +SRC_URI="http://people.redhat.com/sgrubb/audit/${P}.tar.gz"; + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="ldap python" +# Testcases are pretty useless as they are built for RedHat users/groups and +# kernels. +RESTRICT="test" + +RDEPEND="ldap? ( net-nds/openldap ) + sys-libs/libcap-ng" +DEPEND="${RDEPEND} + >=sys-kernel/linux-headers-2.6.34 + python? ( + ${PYTHON_DEPS} + dev-lang/swig:0 + )" +# Do not use os-headers as this is linux specific + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +CONFIG_CHECK="~AUDIT" + +pkg_setup() { + linux-info_pkg_setup +} + +src_prepare() { + epatch_user + + # Do not build GUI tools + sed -i \ + -e '/AC_CONFIG_SUBDIRS.*system-config-audit/d' \ + "${S}"/configure.ac || die + sed -i \ + -e 's,system-config-audit,,g' \ + "${S}"/Makefile.am || die + rm -rf "${S}"/system-config-audit + + if ! use ldap; then + sed -i \ + -e '/^AC_OUTPUT/s,audisp/plugins/zos-remote/Makefile,,g' \ + "${S}"/configure.ac || die + sed -i \ + -e '/^SUBDIRS/s,zos-remote,,g' \ + "${S}"/audisp/plugins/Makefile.am || die + fi + + # Don't build static version of Python module. + epatch "${FILESDIR}"/${PN}-2.4.3-python.patch + + # glibc/kernel upstreams suck with both defining ia64_fpreg + # This patch is a horribly workaround that is only valid as long as you + # don't need the OTHER definitions in fpu.h. + epatch "${FILESDIR}"/${PN}-2.1.3-ia64-compile-fix.patch + + # there is no --without-golang conf option + sed -e "/^SUBDIRS =/s/ @gobind_dir@//" -i bindings/Makefile.am || die + + # Regenerate autotooling + eautoreconf + + # Bug 352198: Avoid parallel build fail + cd "${S}"/src/mt + [[ ! -s private.h ]] && ln -s ../../lib/private.h . +} + +multilib_src_configure() { + local ECONF_SOURCE=${S} + econf \ + --sbindir=/sbin \ + --enable-systemd \ + --without-python \ + --without-python3 + + if multilib_is_native_abi; then + python_configure() { + mkdir -p "${BUILD_DIR}" || die + cd "${BUILD_DIR}" || die + + if python_is_python3; then + econf --without-python --with-python3 + else + econf --with-python --without-python3 + fi + } + + use python && python_foreach_impl python_configure + fi +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + + python_compile() { + local pysuffix pydef + if python_is_python3; then + pysuffix=3 + pydef='USE_PYTHON3=true' + else + pysuffix=2 + pydef='HAVE_PYTHON=true' + fi + + emake -C "${BUILD_DIR}"/bindings/swig \ + VPATH="${native_build}/lib" \ + LIBS="${native_build}/lib/libaudit.la" \ + _audit_la_LIBADD="${native_build}/lib/libaudit.la" \ + _audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \ + ${pydef} + emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \ + VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \ + auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \ + ${pydef} + } + + local native_build="${BUILD_DIR}" + use python && python_foreach_impl python_compile + else + emake -C lib + emake -C auparse + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake DESTDIR="${D}" initdir="$(systemd_get_unitdir)" install + + python_install() { + local pysuffix pydef + if python_is_python3; then + pysuffix=3 + pydef='USE_PYTHON3=true' + else + pysuffix=2 + pydef='HAVE_PYTHON=true' + fi + + emake -C "${BUILD_DIR}"/bindings/swig \ + VPATH="${native_build}/lib" \ + LIBS="${native_build}/lib/libaudit.la" \ + _audit_la_LIBADD="${native_build}/lib/libaudit.la" \ + _audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \ + ${pydef} \ + DESTDIR="${D}" install + emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \ + VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \ + auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \ + ${pydef} \ + DESTDIR="${D}" install + } + + local native_build=${BUILD_DIR} + use python && python_foreach_impl python_install + + # things like shadow use this so we need to be in / + gen_usr_ldscript -a audit auparse + else + emake -C lib DESTDIR="${D}" install + emake -C auparse DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + dodoc AUTHORS ChangeLog README* THANKS TODO + docinto contrib + dodoc contrib/{*.rules,avc_snap,skeleton.c} + docinto contrib/plugin + dodoc contrib/plugin/* + + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + + chmod 644 "${D}/$(systemd_get_unitdir)"/auditd.service || die # 556436 + + [ -f "${D}"/sbin/audisp-remote ] && \ + dodir /usr/sbin && \ + mv "${D}"/{sbin,usr/sbin}/audisp-remote || die + + # Gentoo rules + insinto /etc/audit/ + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + + # audit logs go here + keepdir /var/log/audit/ + + # Security + lockdown_perms "${D}" + + prune_libtool_files --modules +} + +pkg_preinst() { + # Preserve from the audit-1 series + preserve_old_lib /$(get_libdir)/libaudit.so.0 +} + +pkg_postinst() { + lockdown_perms "${ROOT}" + # Preserve from the audit-1 series + preserve_old_lib_notify /$(get_libdir)/libaudit.so.0 +} + +lockdown_perms() { + # upstream wants these to have restrictive perms + basedir="$1" + chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null + chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null +} diff --git a/sys-process/audit/files/auditd-init.d-2.4.3 b/sys-process/audit/files/auditd-init.d-2.4.3 new file mode 100644 index 0000000..33c932a --- /dev/null +++ b/sys-process/audit/files/auditd-init.d-2.4.3 @@ -0,0 +1,91 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' + +start_auditd() { + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" + start-stop-daemon \ + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} + local ret=$? + eend $ret + return $ret +} + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" >/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${command}" --pidfile "${pidfile}" + eend $? +} + +reload() { + reload_auditd + reload_rules +} + +stop() { + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" + return $ret +}
