[zabbix20/el5] New upstream release 2.0.8
Volker Fröhlich
volter at fedoraproject.org
Sun Sep 8 01:28:42 UTC 2013
commit ea64300dc5fb5c98a99374046e614d77c1ce3733
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Sun Sep 8 04:27:36 2013 +0300
New upstream release 2.0.8
- Introduces a pinger tmp directory in the zabbixsrv home directory
.gitignore | 3 +
sources | 2 +-
zabbix-2.0.6-ZBX-6526.patch | 41 ----------
zabbix-agent.service | 13 ---
zabbix-fedora.README | 39 +++++++++-
zabbix-proxy-mysql.service | 13 ---
zabbix-proxy-pgsql.service | 13 ---
zabbix-proxy-sqlite3.service | 13 ---
zabbix-server-mysql.service | 13 ---
zabbix-server-pgsql.service | 13 ---
zabbix-tmpfiles.conf | 1 -
zabbix20.spec | 183 ++++++------------------------------------
12 files changed, 67 insertions(+), 280 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e20f0b8..bafbdfb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,6 @@
/zabbix-2.0.4-free.tar.gz
/zabbix-2.0.5-free.tar.gz
/zabbix-2.0.6-free.tar.gz
+/zabbix-2.0.7-free.tar.gz
+/zabbix-2.0.8.tar.gz
+/zabbix-2.0.8-free.tar.gz
diff --git a/sources b/sources
index bf98dab..ab672de 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d480122e6cfb0983d9946148d82a0b8b zabbix-2.0.6-free.tar.gz
+213cfb023a9c3afb807746003027a9c2 zabbix-2.0.8-free.tar.gz
diff --git a/zabbix-fedora.README b/zabbix-fedora.README
index b3618e0..915a6fc 100644
--- a/zabbix-fedora.README
+++ b/zabbix-fedora.README
@@ -5,9 +5,17 @@ version of SSH shipped in EL 5.
=Custom in Fedora/EPEL=
+==Pinger files==
+
+Since /tmp is not a good place to spool files, the pinger files shall now reside
+in /var/lib/zabbixsrv/tmp. This directory is automatically created and proxy and
+server configuration files are changed accordingly from 2.0.8 on.
+
==Web configuration==
-Web configuration resides in /etc/zabbix/web.
+Web configuration resides in /etc/zabbix/web. No need to copy or edit
+anything -- just do the configuration by accessing the frontend as soon as your
+httpd configuration allows.
==Log files==
@@ -18,6 +26,7 @@ Log files are located in /var/log/zabbix.
==Where's my Flash watch?==
It's not included in Fedora! Fedora's policy does not allow to include blobs.
+https://support.zabbix.com/browse/ZBX-4794
==No htaccess files==
@@ -98,6 +107,32 @@ to vote on it.
Sadly it doesn't work with how Fedora's/RHEL's PHP is compiled.
+--------------------------------------------------------------------------------
+
+=SELinux=
+
+The settings necessary for you vary, depending on how you set up your system/s.
+Most of the time, the only adjustments necessary should be on the machine that
+holds the frontend:
+
+#Allow to connect the frontend to a database by other means than sockets
+setsebool -P httpd_can_network_connect_db 1
+
+#Allow the frontend to create a connection to the server listening port
+#That's the check the frontend uses to see whether the server is running.
+#This option effectively supersedes the previous
+setsebool -P httpd_can_network_connect 1
+
+Using sebools is a somewhat coarse method of allowing things.
+A more fine-grained approach for the latter would be to grab an actual
+avc denial from the audit log, pipe it through audit2allow, put it in a
+module package and load that:
+
+echo "avc: denied { name_connect } for pid=20619 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket" | audit2allow -M zabbix_conn_httpd; sudo semodule -i zabbix_conn_httpd.pp
+
+If you're using ping from the frontend:
+
+echo "avc: denied { setpgid } for pid=31880 comm="zabbix_server_p" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process" | audit2allow -M zabbix_ping_frontend; sudo semodule -i zabbix_ping_frontend.pp
--------------------------------------------------------------------------------
@@ -121,4 +156,4 @@ http://www.zabbix.com/documentation/2.0/manual/installation/upgrade
- Review all rpmnew and rpmsave files; merge where necessary
- Review permissions, ownerships and group memberships for zabbixsrv
-Volker Fröhlich volker27 at gmx.at Jan 21 2013
+Volker Fröhlich volker27 at gmx.at Aug 14 2013
diff --git a/zabbix20.spec b/zabbix20.spec
index a626856..a4ba444 100644
--- a/zabbix20.spec
+++ b/zabbix20.spec
@@ -1,40 +1,18 @@
# TODO, maybe sometime:
# * Do something about mutex errors sometimes occurring when init scripts'
# restart is invoked; something like "sleep 2" between stop and start?
-# * Use "Include" in zabbix_{agentd,proxy,server}.conf, point to corresponding
-# /etc/zabbix/zabbix_*.conf.d/ dir; needs patching in order to not load
+# "Include" statement in config files needs patching in order to not load
# various backup files (*.rpm{orig,new,save}, *~ etc) in that dir.
-# https://support.zabbix.com/browse/ZBXNEXT-497 -- Scheduled for 2.2
+# https://support.zabbix.com/browse/ZBXNEXT-497
# * zabbixsrv could be member of the groups zabbixsrv and zabbix
-# * Consider mod_proxy patch from Debian
-# https://support.zabbix.com/browse/ZBX-4986
-
-#TODO: systemctl reload seems to be necessary after switching with Alternatives
-#TODO: If the DB path for a Sqlite proxy is configured wrong, it requires systemctl restart. Start doesn't work.
-
-# Some info on SELinux that should go to our README
-
-# Allow to connect the frontend to a database
-# setsebool -P httpd_can_network_connect_db 1
-
-# Allow the frontend to check whether Zabbix server is reachable
-#echo "avc: denied { name_connect } for pid=20619 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket" | audit2allow -M myhttpd; sudo semodule -i myhttpd.pp
-
-#TODO: Consider filing a bug for selinux-policy
-# Allow ping from the frontend
-#echo "avc: denied { setpgid } for pid=31880 comm="zabbix_server_p" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process" | audit2allow -M myzab; sudo semodule -i myzab.pp
-
-# Allow host list for pings in /tmp
-#echo "avc: denied { read } for pid=3427 comm="fping6" path="/tmp/zabbix_server_pgsql_3002.pinger" dev=dm-1 ino=20 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file" | audit2allow -M myzab; sudo semodule -i myzab2.pp
-
-#type=AVC msg=audit(1346965425.718:65127): avc: denied { getattr } for pid=3427 comm="fping6" path="/tmp/zabbix_server_pgsql_3002.pinger" dev=dm-1 ino=20 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
+#type=AVC msg=audit(1346965425.718:65127): avc: denied { getattr } for pid=3427 comm="fping6" path="/var/lib/zabbixsrv/tmp/zabbix_server_pgsql_3002.pinger" dev=dm-1 ino=20 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
%global srcname zabbix
Name: zabbix20
-Version: 2.0.6
-Release: 3%{?dist}
+Version: 2.0.8
+Release: 1%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -49,7 +27,6 @@ Source2: %{srcname}-server.init
Source3: %{srcname}-agent.init
Source4: %{srcname}-proxy.init
Source5: %{srcname}-logrotate.in
-Source9: %{srcname}-tmpfiles.conf
Source16: %{srcname}-fedora.README
# local rules for config files
@@ -60,13 +37,6 @@ Patch1: %{srcname}-2.0.3-fonts-config.patch
# https://support.zabbix.com/browse/ZBX-4794
Patch2: %{srcname}-2.0.1-no-flash.patch
-# https://support.zabbix.com/browse/ZBX-6526
-Patch4: %{srcname}-2.0.6-ZBX-6526.patch
-
-# Insecure use of libcurl API, CVE-2012-6086
-# https://support.zabbix.com/browse/ZBX-5924
-Patch5: %{srcname}-2.0.6-ZBX-5924.patch
-
BuildRequires: mysql-devel
BuildRequires: postgresql-devel
BuildRequires: sqlite-devel
@@ -252,8 +222,6 @@ Zabbix web frontend for PostgreSQL
%setup0 -q -n %{srcname}-%{version}
%patch0 -p1
%patch1 -p1
-%patch4 -p0
-%patch5 -p0
# Logrotate's su option is currently only available in Fedora
sed -i '/su zabbix zabbix/d' %{SOURCE5}
@@ -261,7 +229,7 @@ sed -i '/su zabbix zabbix/d' %{SOURCE5}
# Remove flash applet
# https://support.zabbix.com/browse/ZBX-4794
%patch2 -p1
-rm -f frontend/php/images/flash/zbxclock.swf
+rm -f frontends/php/images/flash/zbxclock.swf
# Remove bundled java libs
rm -rf src/zabbix_java/lib/*.jar
@@ -313,6 +281,7 @@ sed -i \
-e 's|/usr/local||g' \
conf/zabbix_agent.conf
+#TODO: It'd be better to leave the defaults in a commment and just override them, as they are still hard-coded!
sed -i \
-e 's|# PidFile=.*|PidFile=%{_localstatedir}/run/%{srcname}/zabbix_server.pid|g' \
-e 's|^LogFile=.*|LogFile=%{_localstatedir}/log/%{srcname}/zabbix_server.log|g' \
@@ -321,6 +290,7 @@ sed -i \
-e 's|^DBUser=root|DBUser=zabbix|g' \
-e 's|# DBSocket=/tmp/mysql.sock|DBSocket=/var/lib/mysql/mysql.sock|g' \
-e 's|# ExternalScripts=\${datadir}/zabbix/externalscripts|ExternalScripts=/var/lib/zabbixsrv/externalscripts|' \
+ -e 's|# TmpDir=\/tmp|TmpDir=/var/lib/zabbixsrv/tmp|' \
-e 's|/usr/local||g' \
conf/zabbix_server.conf
@@ -331,6 +301,7 @@ sed -i \
-e 's|^DBUser=root|DBUser=zabbix|g' \
-e 's|# DBSocket=/tmp/mysql.sock|DBSocket=/var/lib/mysql/mysql.sock|g' \
-e 's|# ExternalScripts=\${datadir}/zabbix/externalscripts|ExternalScripts=/var/lib/zabbixsrv/externalscripts|' \
+ -e 's|# TmpDir=\/tmp|TmpDir=/var/lib/zabbixsrv/tmp|' \
-e 's|/usr/local||g' \
conf/zabbix_proxy.conf
@@ -442,6 +413,9 @@ ln -sf /var/lib/zabbixsrv/externalscripts $RPM_BUILD_ROOT%{_sysconfdir}/%{srcnam
ln -sf /var/lib/zabbixsrv/alertscripts $RPM_BUILD_ROOT%{_sysconfdir}/%{srcname}/alertscripts
#TODO: What does that do to existing directories?
+# Directory for fping spooling files
+mkdir $RPM_BUILD_ROOT/var/lib/zabbixsrv/tmp
+
# Install sql files
for db in postgresql mysql; do
datadir=$RPM_BUILD_ROOT%{_datadir}/%{srcname}-$db
@@ -615,7 +589,7 @@ fi
%config(noreplace) %{_sysconfdir}/%{srcname}/alertscripts
%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-server
%ghost %{_sbindir}/zabbix_server
-%attr(0755,zabbixsrv,zabbix) /var/lib/%{srcname}srv
+%attr(0755,zabbixsrv,zabbix) /var/lib/zabbixsrv
%{_initrddir}/zabbix-server
%{_mandir}/man8/zabbix_server.8*
@@ -636,7 +610,7 @@ fi
%config(noreplace) %{_sysconfdir}/zabbix_agentd.conf
%config(noreplace) %{_sysconfdir}/%{srcname}/zabbix_agentd.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-agent
-%attr(0755,zabbix,zabbix) %dir /var/lib/%{srcname}
+%attr(0755,zabbix,zabbix) %dir /var/lib/zabbix
%{_initrddir}/zabbix-agent
%{_sbindir}/zabbix_agent
%{_sbindir}/zabbix_agentd
@@ -651,7 +625,7 @@ fi
%config(noreplace) %{_sysconfdir}/%{srcname}/externalscripts
%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-proxy
%ghost %{_sbindir}/zabbix_proxy
-%attr(0755,zabbixsrv,zabbix) /var/lib/%{srcname}srv
+%attr(0755,zabbixsrv,zabbix) /var/lib/zabbixsrv
%{_initrddir}/zabbix-proxy
%{_mandir}/man8/zabbix_proxy.8*
@@ -679,6 +653,17 @@ fi
%files web-pgsql
%changelog
+* Fri Aug 23 2013 Volker Fröhlich <volker27 at gmx.at> - 2.0.8-1
+- New upstream release
+- Remove unused source files
+- Create and configure a spooling directory for fping files outside of /tmp
+- Update README to reflect that and add a SELinux section
+- Drop PrivateTmp from systemd unit files
+- Drop patch for ZBX-6526 (solved upstream)
+- Drop patch for CVE-2012-6086 (solved upstream)
+- Correct path for the flash applet when removing
+- Truncate changelog
+
* Tue Jul 30 2013 Volker Fröhlich <volker27 at gmx.at> - 2.0.6-3
- Backport fix for CVE-2012-6086
@@ -1005,119 +990,3 @@ fi
* Thu Sep 30 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6-1
- Update to final 1.6
-
-* Mon Aug 11 2008 Jason L Tibbitts III <tibbs at math.uh.edu> - 1.4.6-2
-- Fix license tag.
-
-* Fri Jul 25 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.4.6-1
-- Update to 1.4.6
-
-* Mon Jul 07 2008 Dan Horak <dan[at]danny.cz> - 1.4.5-4
-- add LSB headers into init scripts
-- disable internal log rotation
-
-* Fri May 02 2008 Jarod Wilson <jwilson at redhat.com> - 1.4.5-3
-- Seems the zabbix folks replaced the original 1.4.5 tarball with
- an updated tarball or something -- it actually does contain a
- tiny bit of additional code... So update to newer 1.4.5.
-
-* Tue Apr 08 2008 Jarod Wilson <jwilson at redhat.com> - 1.4.5-2
-- Fix building w/postgresql (#441456)
-
-* Tue Mar 25 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.4.5-1
-- Update to 1.4.5
-
-* Thu Feb 14 2008 Jarod Wilson <jwilson at redhat.com> - 1.4.4-2
-- Bump and rebuild with gcc 4.3
-
-* Mon Dec 17 2007 Jarod Wilson <jwilson at redhat.com> - 1.4.4-1
-- New upstream release
-- Fixes two crasher bugs in 1.4.3 release
-
-* Wed Dec 12 2007 Jarod Wilson <jwilson at redhat.com> - 1.4.3-1
-- New upstream release
-
-* Thu Dec 06 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.4.2-5
-- Rebuild for deps
-
-* Sat Dec 01 2007 Dan Horak <dan[at]danny.cz> 1.4.2-4
-- add security fix (#407181)
-
-* Thu Sep 20 2007 Dan Horak <dan[at]danny.cz> 1.4.2-3
-- Add a patch to clean a warning during compile
-- Add a patch to fix cpu load computations
-
-* Tue Aug 21 2007 Jarod Wilson <jwilson at redhat.com> 1.4.2-2
-- Account for binaries moving from %%_bindir to %%_sbindir
-
-* Tue Aug 21 2007 Jarod Wilson <jwilson at redhat.com> 1.4.2-1
-- New upstream release
-
-* Mon Jul 02 2007 Jarod Wilson <jwilson at redhat.com> 1.4.1-1
-- New upstream release
-
-* Fri Jun 29 2007 Jarod Wilson <jwilson at redhat.com> 1.4-3
-- Install correct sql init files (#244991)
-- Add Requires: php-bcmath to zabbix-web (#245767)
-
-* Wed May 30 2007 Jarod Wilson <jwilson at redhat.com> 1.4-2
-- Add placeholder zabbix.conf.php
-
-* Tue May 29 2007 Jarod Wilson <jwilson at redhat.com> 1.4-1
-- New upstream release
-
-* Fri Mar 30 2007 Jarod Wilson <jwilson at redhat.com> 1.1.7-1
-- New upstream release
-
-* Wed Feb 07 2007 Jarod Wilson <jwilson at redhat.com> 1.1.6-1
-- New upstream release
-
-* Thu Feb 01 2007 Jarod Wilson <jwilson at redhat.com> 1.1.5-1
-- New upstream release
-
-* Tue Jan 02 2007 Jarod Wilson <jwilson at redhat.com> 1.1.4-5
-- Add explicit R:php to zabbix-web (#220676)
-
-* Wed Dec 13 2006 Jarod Wilson <jwilson at redhat.com> 1.1.4-4
-- Fix snmp polling buffer overflow (#218065)
-
-* Wed Nov 29 2006 Jarod Wilson <jwilson at redhat.com> 1.1.4-3
-- Rebuild for updated libnetsnmp
-
-* Thu Nov 16 2006 Jarod Wilson <jwilson at redhat.com> 1.1.4-2
-- Fix up pt_br
-- Add Req-pre on useradd
-
-* Wed Nov 15 2006 Jarod Wilson <jwilson at redhat.com> 1.1.4-1
-- Update to 1.1.4
-
-* Tue Nov 14 2006 Jarod Wilson <jwilson at redhat.com> 1.1.3-3
-- Add BR: gnutls-devel, R: net-snmp-libs
-
-* Tue Nov 14 2006 Jarod Wilson <jwilson at redhat.com> 1.1.3-2
-- Fix php-pgsql Requires
-
-* Tue Nov 14 2006 Jarod Wilson <jwilson at redhat.com> 1.1.3-1
-- Update to 1.1.3
-
-* Mon Oct 02 2006 Jarod Wilson <jwilson at redhat.com> 1.1.2-1
-- Update to 1.1.2
-- Enable alternate building with postgresql support
-
-* Thu Aug 17 2006 Jarod Wilson <jwilson at redhat.com> 1.1.1-2
-- Yank out Requires: mysql-server
-- Add Requires: for php-gd and fping
-
-* Tue Aug 15 2006 Jarod Wilson <jwilson at redhat.com> 1.1.1-1
-- Update to 1.1.1
-- More macroification
-- Fix up zabbix-web Requires:
-- Prep for enabling postgres support
-
-* Thu Jul 27 2006 Jarod Wilson <jwilson at redhat.com> 1.1-2
-- Add Requires: on chkconfig and service
-- Remove openssl-devel from BR, mysql-devel pulls it in
-- Alter scriptlets to match Fedora conventions
-
-* Tue Jul 11 2006 Jarod Wilson <jwilson at redhat.com> 1.1-1
-- Initial build for Fedora Extras
More information about the scm-commits
mailing list