[zabbix20/el5] 2.0.13, resolve directory ownership problems
Volker Fröhlich
volter at fedoraproject.org
Mon Sep 22 15:25:57 UTC 2014
commit 0b18fbab841e0f27571543b9b022340882937a87
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Mon Sep 22 17:22:19 2014 +0200
2.0.13, resolve directory ownership problems
- New upstream release; Remove obsolete patches for ZBX-8151, ZBX-8238
and fping
- Use the upstream tarball, now that non-free json was replaced with android-json
- Clean between builds, otherwise zabbix_{proxy,server} are compiled
again on install
- Harmonize package descriptions and summaries
- Sort out /var/run ownership issue when only installing the server or proxy
- Update README
.gitignore | 1 +
sources | 2 +-
zabbix-1.8.12-fping3.patch | 39 -------------------------------
zabbix-2.0.12-zbx8151.patch | 53 -------------------------------------------
zabbix-2.0.12-zbx8238.patch | 24 -------------------
zabbix-fedora.README | 26 ++++++++++++++++++--
zabbix20.spec | 38 +++++++++++++++++-------------
7 files changed, 47 insertions(+), 136 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 914b865..19d53bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@
/zabbix-2.0.10-free.tar.gz
/zabbix-2.0.11-free.tar.gz
/zabbix-2.0.12-free.tar.gz
+/zabbix-2.0.13.tar.gz
diff --git a/sources b/sources
index b9ea480..821c330 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-8d497bc9eca83d59ba5633645b86584e zabbix-2.0.12-free.tar.gz
+538e973109c36aaa8c1f2bc7925fb1c4 zabbix-2.0.13.tar.gz
diff --git a/zabbix-fedora.README b/zabbix-fedora.README
index 81e5853..dec388b 100644
--- a/zabbix-fedora.README
+++ b/zabbix-fedora.README
@@ -1,5 +1,3 @@
-#TODO: SELinux
-
EPEL 5 version of Zabbix 2.0 does not support SSH, due to the old
version of SSH shipped in EL 5.
@@ -11,7 +9,6 @@ Since /tmp is not a good place to spool files, the pinger files shall now reside
in /var/lib/zabbixsrv/tmp. This directory is automatically created and proxy and
server configuration files are changed accordingly from 2.0.8 on.
-
==Web configuration==
Web configuration resides in /etc/zabbix/web. The configuration file can be
@@ -152,6 +149,29 @@ module package and load that:
echo "avc: denied { name_connect } for pid=20619 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket" | audit2allow -M zabbix_conn_httpd; sudo semodule -i zabbix_conn_httpd.pp
+--------------------------------------------------------------------------------
+
+=SELinux=
+
+The settings necessary for you vary, depending on how you set up your system/s.
+Most of the time, the only adjustments necessary should be on the machine that
+holds the frontend:
+
+#Allow to connect the frontend to a database by other means than sockets
+setsebool -P httpd_can_network_connect_db 1
+
+#Allow the frontend to create a connection to the server listening port
+#That's the check the frontend uses to see whether the server is running.
+#This option effectively supersedes the previous
+setsebool -P httpd_can_network_connect 1
+
+Using sebools is a somewhat coarse method of allowing things.
+A more fine-grained approach for the latter would be to grab an actual
+avc denial from the audit log, pipe it through audit2allow, put it in a
+module package and load that:
+
+echo "avc: denied { name_connect } for pid=20619 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket" | audit2allow -M zabbix_conn_httpd; sudo semodule -i zabbix_conn_httpd.pp
+
If you're using ping from the frontend:
echo "avc: denied { setpgid } for pid=31880 comm="zabbix_server_p" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process" | audit2allow -M zabbix_ping_frontend; sudo semodule -i zabbix_ping_frontend.pp
diff --git a/zabbix20.spec b/zabbix20.spec
index 8fea281..4674f39 100644
--- a/zabbix20.spec
+++ b/zabbix20.spec
@@ -10,17 +10,15 @@
%global srcname zabbix
Name: zabbix20
-Version: 2.0.12
-Release: 2%{?dist}
+Version: 2.0.13
+Release: 1%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
License: GPLv2+
URL: http://www.zabbix.com
-#Source0: http://downloads.sourceforge.net/%{srcname}/%{srcname}-%{version}.tar.gz
-# upstream tarball minus src/zabbix_java/lib/org-json-2010-12-28.jar
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
-Source0: %{srcname}-%{version}-free.tar.gz
+Source0: http://downloads.sourceforge.net/%{srcname}/%{srcname}-%{version}.tar.gz
Source1: %{srcname}-web.conf
Source2: %{srcname}-server.init
Source3: %{srcname}-agent.init
@@ -35,11 +33,6 @@ Patch1: %{srcname}-2.0.3-fonts-config.patch
# remove flash content (#737337)
# https://support.zabbix.com/browse/ZBX-4794
Patch2: %{srcname}-2.0.1-no-flash.patch
-# logrt may continue reading an old file repeatedly.
-Patch4: %{srcname}-2.0.12-zbx8238.patch
-# Local file inclusion via XXE attack (CVE-2014-3005)
-# https://support.zabbix.com/browse/ZBX-8151
-Patch5: %{srcname}-2.0.12-zbx8151.patch
BuildRequires: mysql-devel
BuildRequires: postgresql-devel
@@ -117,7 +110,7 @@ Provides: %{name}-server-implementation = %{version}-%{release}
Zabbix server compiled to use PostgresSQL
%package agent
-Summary: Zabbix Agent
+Summary: Zabbix agent
Group: Applications/Internet
Requires: %{name} = %{version}-%{release}
Requires(pre): shadow-utils
@@ -127,10 +120,10 @@ Requires(preun): /sbin/service
Requires(postun): /sbin/service
%description agent
-The Zabbix client agent, to be installed on monitored systems.
+Zabbix agent, to be installed on monitored systems
%package proxy
-Summary: Zabbix Proxy
+Summary: Zabbix proxy common files
Group: Applications/Internet
Requires: %{name} = %{version}-%{release}
Requires: %{name}-proxy-implementation = %{version}-%{release}
@@ -233,9 +226,6 @@ Zabbix web frontend for PostgreSQL
%patch2 -p1
rm -f frontends/php/images/flash/zbxclock.swf
-%patch4 -p1
-%patch5 -p0
-
# Remove bundled java libs
rm -rf src/zabbix_java/lib/*.jar
@@ -332,11 +322,13 @@ make %{?_smp_mflags}
mv src/zabbix_proxy/zabbix_proxy src/zabbix_proxy/zabbix_proxy_sqlite3
%configure $common_flags --with-mysql --enable-server
+make clean
make %{?_smp_mflags}
mv src/zabbix_server/zabbix_server src/zabbix_server/zabbix_server_mysql
mv src/zabbix_proxy/zabbix_proxy src/zabbix_proxy/zabbix_proxy_mysql
%configure $common_flags --with-postgresql --enable-server
+make clean
make %{?_smp_mflags}
mv src/zabbix_server/zabbix_server src/zabbix_server/zabbix_server_pgsql
mv src/zabbix_proxy/zabbix_proxy src/zabbix_proxy/zabbix_proxy_pgsql
@@ -485,6 +477,9 @@ fi
%pre server
getent group zabbix > /dev/null || groupadd -r zabbix
+getent passwd zabbix > /dev/null || \
+ useradd -r -g zabbix -d /var/lib/zabbix -s /sbin/nologin \
+ -c "Zabbix Monitoring System" zabbix
getent passwd zabbixsrv > /dev/null || \
useradd -r -g zabbix -d /var/lib/zabbixsrv -s /sbin/nologin \
-c "Zabbix Monitoring System -- Proxy or server" zabbixsrv
@@ -501,6 +496,9 @@ fi
#TODO: Update path from 1.8.6 with wrongly set home dir?
%pre proxy
getent group zabbix > /dev/null || groupadd -r zabbix
+getent passwd zabbix > /dev/null || \
+ useradd -r -g zabbix -d /var/lib/zabbix -s /sbin/nologin \
+ -c "Zabbix Monitoring System" zabbix
getent passwd zabbixsrv > /dev/null || \
useradd -r -g zabbix -d /var/lib/zabbixsrv -s /sbin/nologin \
-c "Zabbix Monitoring System -- Proxy or server" zabbixsrv
@@ -646,6 +644,14 @@ fi
%files web-pgsql
%changelog
+* Thu Sep 11 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.13-1
+- New upstream release; Remove obsolete patches for ZBX-8151 and ZBX-8238
+- Use the upstream tarball, now that non-free json was replaced with android-json
+- Clean between builds, otherwise zabbix_{proxy,server} are compiled
+ again on install
+- Harmonize package descriptions and summaries
+- Sort out /var/run ownership issue when only installing the server or proxy
+
* Fri Jun 20 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.12-2
- Patch for ZBX-8151 (Local file inclusion via XXE attack) -- CVE-2014-3005
More information about the scm-commits
mailing list