[shorewall/f15] Add upstream ALL patch to fix handling zones that begin with 'all' Add patch to close stdin to preve
Orion Poplawski
orion at fedoraproject.org
Wed Aug 3 17:51:09 UTC 2011
commit e9e6101624280fb9c96ecddf4b2b59b343e3aa4b
Author: Orion Poplawski <orion at cora.nwra.com>
Date: Wed Aug 3 11:06:36 2011 -0600
Add upstream ALL patch to fix handling zones that begin with 'all'
Add patch to close stdin to prevent some SELinux denial messages (bug 727648)
Make libexec files executable
shorewall-ALL.patch | 13 ++++++
shorewall-qtnoin.patch | 99 +++++++++++++++++++++++++++++++++++++++++++++++
shorewall.spec | 32 +++++++++++----
shorewall6-qtnoin.patch | 27 +++++++++++++
4 files changed, 163 insertions(+), 8 deletions(-)
---
diff --git a/shorewall-ALL.patch b/shorewall-ALL.patch
new file mode 100644
index 0000000..c78352c
--- /dev/null
+++ b/shorewall-ALL.patch
@@ -0,0 +1,13 @@
+diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
+index c8b0d15..c06c653 100644
+--- a/Shorewall/Perl/Shorewall/Rules.pm
++++ b/Shorewall/Perl/Shorewall/Rules.pm
+@@ -2252,7 +2252,7 @@ sub build_zone_list( $$$\$\$ ) {
+ #
+ # Handle Wildcards
+ #
+- if ( $input =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
++ if ( $input =~ /^(all[-+]*)(![^:]+)?(:.*)?$/ ) {
+ $input = $1;
+ $exclude = $2;
+ $rest = $3;
diff --git a/shorewall-qtnoin.patch b/shorewall-qtnoin.patch
new file mode 100644
index 0000000..c9268b7
--- /dev/null
+++ b/shorewall-qtnoin.patch
@@ -0,0 +1,99 @@
+diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
+index 9f2a6a5..9551aeb 100644
+--- a/Shorewall/Perl/Shorewall/Config.pm
++++ b/Shorewall/Perl/Shorewall/Config.pm
+@@ -2315,7 +2315,7 @@ sub qt( $ ) {
+ print "SYS----> @_\n";
+ system( "@_ 2>&1" );
+ } else {
+- system( "@_ > /dev/null 2>&1" ) == 0;
++ system( "@_ > /dev/null 2>&1 < /dev/null" ) == 0;
+ }
+ }
+
+diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
+index 07f50a0..6d9bb76 100644
+--- a/Shorewall/Perl/Shorewall/Misc.pm
++++ b/Shorewall/Perl/Shorewall/Misc.pm
+@@ -1989,8 +1989,8 @@ EOF
+ emit <<'EOF';
+ if [ -f ${VARDIR}/proxyarp ]; then
+ while read address interface external haveroute; do
+- qt $IP -4 neigh del proxy $address dev $external
+- [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
++ qtnoin $IP -4 neigh del proxy $address dev $external
++ [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+ f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+ [ -f $f ] && echo 0 > $f
+ done < ${VARDIR}/proxyarp
+@@ -2003,8 +2003,8 @@ EOF
+ emit <<'EOF';
+ if [ -f ${VARDIR}/proxyndp ]; then
+ while read address interface external haveroute; do
+- qt $IP -6 neigh del proxy $address dev $external
+- [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
++ qtnoin $IP -6 neigh del proxy $address dev $external
++ [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -6 route del $address/128 dev $interface
+ f=/proc/sys/net/ipv4/conf/$interface/proxy_ndp
+ [ -f $f ] && echo 0 > $f
+ done < ${VARDIR}/proxyndp
+diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header
+index ac6b643..e0ed9be 100644
+--- a/Shorewall/Perl/prog.header
++++ b/Shorewall/Perl/prog.header
+@@ -272,7 +272,7 @@ get_interface_bcasts() # $1 = interface
+ #
+ del_ip_addr() # $1 = address, $2 = interface
+ {
+- [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
++ [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+ }
+
+ # Add IP Aliases
+@@ -624,8 +624,8 @@ conditionally_flush_conntrack() {
+ delete_proxyarp() {
+ if [ -f ${VARDIR}/proxyarp ]; then
+ while read address interface external haveroute; do
+- qt $IP -4 neigh del proxy $address dev $external
+- [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
++ qtnoin $IP -4 neigh del proxy $address dev $external
++ [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+ f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+ [ -f $f ] && echo 0 > $f
+ done < ${VARDIR}/proxyarp
+diff --git a/Shorewall/lib.common b/Shorewall/lib.common
+index 9f62c4b..50f034e 100644
+--- a/Shorewall/lib.common
++++ b/Shorewall/lib.common
+@@ -164,12 +164,21 @@ qt()
+ "$@" >/dev/null 2>&1
+ }
+
++#
++# Suppress all output and input - mainly for preventing leaked file descriptors
++# to avoid SELinux denials
++#
++qtnoin()
++{
++ "$@" </dev/null >/dev/null 2>&1
++}
++
+ qt1()
+ {
+ local status
+
+ while [ 1 ]; do
+- "$@" >/dev/null 2>&1
++ "$@" </dev/null >/dev/null 2>&1
+ status=$?
+ [ $status -ne 4 ] && return $status
+ done
+@@ -179,7 +188,7 @@ qt1()
+ # Determine if Shorewall is "running"
+ #
+ shorewall_is_started() {
+- qt $IPTABLES -L shorewall -n
++ qt1 $IPTABLES -L shorewall -n
+ }
+
+ #
diff --git a/shorewall.spec b/shorewall.spec
index 944b16e..b200926 100644
--- a/shorewall.spec
+++ b/shorewall.spec
@@ -6,7 +6,7 @@
Name: shorewall
Version: %{mainver}
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: An iptables front end for firewall configuration
Group: Applications/System
License: GPLv2+
@@ -25,6 +25,12 @@ Source10: shorewall-foo-init.sh
# Init file for shorewall-init
Source11: shorewall-init.sh
+# Upstream patch to fix handling zones that start with "all"
+Patch0: shorewall-ALL.patch
+# Close stdin in shell loops to prevent SELinux denial messages (bug 727648)
+Patch1: shorewall-qtnoin.patch
+Patch2: shorewall6-qtnoin.patch
+
BuildRequires: perl
BuildArch: noarch
@@ -108,6 +114,13 @@ for 'event-driven' startup and shutdown.
%prep
%setup -q -c -n %{name}-%{version} -T -a0 -a1 -a2 -a3 -a4
+pushd %{name}-%{version}
+%patch0 -p2
+%patch1 -p2
+popd
+pushd %{name}6-%{version}
+%patch2 -p2
+popd
# Overwrite default init files with Fedora specific ones
cp %{SOURCE10} shorewall-%{version}/init.sh
@@ -148,8 +161,6 @@ for i in $targets; do
popd
done
-# Make files under libexec executable
-chmod 755 $RPM_BUILD_ROOT%{_libexecdir}/shorewall/*
%clean
rm -rf $RPM_BUILD_ROOT
@@ -224,7 +235,7 @@ fi
%config(noreplace) %{_sysconfdir}/shorewall/*
%config(noreplace) %{_sysconfdir}/logrotate.d/shorewall
-%{_libexecdir}/shorewall
+%attr(0755,root,root) %{_libexecdir}/shorewall
%{_datadir}/shorewall
%{perl_privlib}/Shorewall
@@ -251,7 +262,7 @@ fi
%{_sysconfdir}/shorewall-lite/Makefile
%{_datadir}/shorewall-lite
-%{_libexecdir}/shorewall-lite
+%attr(0755,root,root) %{_libexecdir}/shorewall-lite
%{_mandir}/man5/shorewall-lite*
%{_mandir}/man8/shorewall-lite*
@@ -275,7 +286,7 @@ fi
%{_mandir}/man8/shorewall6*
%exclude %{_mandir}/man8/shorewall6-lite*
-%{_libexecdir}/shorewall6
+%attr(0755,root,root) %{_libexecdir}/shorewall6
%{_datadir}/shorewall6
%dir %{_localstatedir}/lib/shorewall6
@@ -296,7 +307,7 @@ fi
%{_mandir}/man8/shorewall6-lite*
%{_datadir}/shorewall6-lite
-%{_libexecdir}/shorewall6-lite
+%attr(0755,root,root) %{_libexecdir}/shorewall6-lite
%dir %{_localstatedir}/lib/shorewall6-lite
@@ -312,9 +323,14 @@ fi
%{_mandir}/man8/shorewall-init.8.*
%{_datadir}/shorewall-init
-%{_libexecdir}/shorewall-init
+%attr(0755,root,root) %{_libexecdir}/shorewall-init
%changelog
+* Wed Aug 3 2011 Orion Poplawski <orion at cora.nwra.com> - 4.4.22-2
+- Add upstream ALL patch to fix handling zones that begin with 'all'
+- Add patch to close stdin to prevent some SELinux denial messages (bug 727648)
+- Make libexec files executable
+
* Tue Aug 2 2011 Orion Poplawski <orion at cora.nwra.com> - 4.4.22-1
- Update to 4.4.22
diff --git a/shorewall6-qtnoin.patch b/shorewall6-qtnoin.patch
new file mode 100644
index 0000000..ad6c355
--- /dev/null
+++ b/shorewall6-qtnoin.patch
@@ -0,0 +1,27 @@
+diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common
+index 0b4022c..4aee7ff 100644
+--- a/Shorewall6/lib.common
++++ b/Shorewall6/lib.common
+@@ -186,12 +186,21 @@ qt()
+ "$@" >/dev/null 2>&1
+ }
+
++#
++# Suppress all output and input - mainly for preventing leaked file descriptors
++# to avoid SELinux denials
++#
++qtnoin()
++{
++ "$@" </dev/null >/dev/null 2>&1
++}
++
+ qt1()
+ {
+ local status
+
+ while [ 1 ]; do
+- "$@" >/dev/null 2>&1
++ "$@" </dev/null >/dev/null 2>&1
+ status=$?
+ [ $status -ne 4 ] && return $status
+ done
More information about the scm-commits
mailing list