Moved postinstall/em scripts to helepers catalog

Added workaround for wrong generation of rpm
2024-06-28 11:19:20 +02:00 · 2024-06-28 11:16:34 +02:00
9 changed files with 202 additions and 25 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -32,6 +32,8 @@ set(LSB_RELEASE_ID_SHORT "${LSB_RELEASE_ID_SHORT}")
 install(
    FILES
        ${CMAKE_CURRENT_LIST_DIR}/rsc/rublon.config.defaults
+        ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh_pubkey.conf.default
+	${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default
    DESTINATION
        share/rublon
    COMPONENT
@ -42,34 +44,21 @@ install(
        GROUP_READ
 )

-if ( ${LSB_RELEASE_ID_SHORT} MATCHES "Ubuntu" OR ${LSB_RELEASE_ID_SHORT} MATCHES "Debian" )
+if (NOT ${LSB_RELEASE_ID_SHORT} MATCHES "Ubuntu" OR NOT ${LSB_RELEASE_ID_SHORT} MATCHES "Debian" )
 install(
    FILES
-        ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh_pubkey.conf.default
-	${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.defaults
+        ${CMAKE_CURRENT_LIST_DIR}/service/login_rublon.mod
+	${CMAKE_CURRENT_LIST_DIR}/service/login_rublon.pp
+	${CMAKE_CURRENT_LIST_DIR}/service/login_rublon.te
    DESTINATION
        share/rublon
    COMPONENT
 	PAM
-    DESTINATION
-        share/rublon/service
-    USE_SOURCE_PERMISSIONS
-)
-else ()
-install(
-    DIRECTORY
-        ${CMAKE_CURRENT_LIST_DIR}/service/
-    COMPONENT
-	PAM
-    DESTINATION
-        share/rublon/service
-    FILE_PERMISSIONS
+    PERMISSIONS
        OWNER_READ
        OWNER_WRITE
-	OWNER_EXECUTE
        GROUP_READ
-	GROUP_READ
-	GROUP_EXECUTE
+
 )
 endif()
 if (${ENABLE_TESTS})
--- a/pack.cmake
+++ b/pack.cmake
@ -36,18 +36,22 @@ set(CPACK_GENERATOR "DEB")
 # set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0)")
 # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA 
-	"${CMAKE_CURRENT_SOURCE_DIR}/service/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/postrm")
+	"${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postrm")
 else()
 set(CPACK_GENERATOR "RPM")
+list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/share/rublon/service/helpers")
+list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
+     "/usr/lib64/security"
+)
 set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none")
 set(CPACK_RPM_FILE_NAME RPM-DEFAULT)
-set(CPACK_RPM_PACKAGE_REQUIRES_PRE "policycoreutils-devel")
+set(CPACK_RPM_PACKAGE_REQUIRES_PRE "policycoreutils")
 	if(${os_version_suffix} MATCHES ".el8")
-	set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst_rhel_8")
-        set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postrm_rhel_8")
+	set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postinst_rhel_8")
+        set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postrm_rhel_8")
 	else ()
-	set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst_rhel")
-	set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postrm_rhel")
+	set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postinst_rhel")
+	set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postrm_rhel")
 	endif()
 endif() 

--- a/service/helpers/postinst
+++ b/service/helpers/postinst
@ -0,0 +1,31 @@
+#!/bin/bash
+
+SSHD_CONF=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+
+if [ ! -f $RUBLON_CONFIG ]
+then
+    cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG
+    chown root:root $RUBLON_CONFIG
+    chmod 640 $RUBLON_CONFIG
+fi
+
+if [ ! -f $RUBLON_SSH_CONFIG ]
+then
+    cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG
+    chown root:root $RUBLON_SSH_CONFIG
+    chmod 640 $RUBLON_SSH_CONFIG
+fi
+
+if [ -f /etc/os-release ]
+then
+    . /etc/os-release
+fi
+
+grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
+
+deb-systemd-invoke restart ssh.service
+
--- a/service/helpers/postinst_pubkey
+++ b/service/helpers/postinst_pubkey
@ -0,0 +1,28 @@
+#!/bin/bash
+
+SSHD_CONF=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+
+if [ ! -f $RUBLON_CONFIG ]
+then
+    cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG
+    chown root:root $RUBLON_CONFIG
+    chmod 640 $RUBLON_CONFIG
+fi
+cp -a /usr/share/rublon/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG
+chown root:root $RUBLON_SSH_CONFIG
+chmod 640 $RUBLON_SSH_CONFIG
+
+if [ -f /etc/os-release ]
+then
+    . /etc/os-release
+fi
+
+grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe '@include common-auth' $SSHD_PAM_CONF || sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF
+
+	deb-systemd-invoke restart ssh.service
+
--- a/service/helpers/postinst_rhel
+++ b/service/helpers/postinst_rhel
@ -0,0 +1,31 @@
+#!/bin/bash
+
+SSHD_CONF=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+
+if [ ! -f /etc/rublon.config ]
+then
+    cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG
+    chown root:root $RUBLON_CONFIG
+    chmod 640 $RUBLON_CONFIG
+fi
+
+if [ ! -f $RUBLON_SSH_CONFIG ]
+then
+    cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG
+    chown root:root $RUBLON_SSH_CONFIG
+    chmod 640 $RUBLON_SSH_CONFIG
+fi
+
+cd /usr/share/rublon/
+checkmodule -M -m -o login_rublon.mod login_rublon.te
+semodule_package -o login_rublon.pp -m login_rublon.mod
+semodule -i login_rublon.pp
+
+
+grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
+
+systemctl restart sshd
--- a/service/helpers/postinst_rhel_8
+++ b/service/helpers/postinst_rhel_8
@ -0,0 +1,32 @@
+#!/bin/bash
+
+SSHD_CONF=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/01-rublon-ssh.conf
+
+if [ ! -f /etc/rublon.config ]
+then
+    cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG
+    chown root:root $RUBLON_CONFIG
+    chmod 640 $RUBLON_CONFIG
+fi
+
+if [ ! -f $RUBLON_SSH_CONFIG ]
+then
+    cp -a /usr/share/rublon/01-rublon-ssh.conf.default /etc/ssh/01-rublon-ssh.conf
+    chown root:root $RUBLON_SSH_CONFIG
+    chmod 640 $RUBLON_SSH_CONFIG
+fi
+cd /usr/share/rublon
+checkmodule -M -m -o login_rublon.mod login_rublon.te
+semodule_package -o login_rublon.pp -m login_rublon.mod
+semodule -i login_rublon.pp
+
+sed -i '1 i\Include 01-rublon-ssh.conf' $SSHD_CONF
+grep -qe '#auth       substack     password-auth' $SSHD_PAM_CONF || sed -i -e 's/auth       substack     password-auth/#auth substack password-auth/g' $SSHD_PAM_CONF
+grep -qe 'auth requisite pam_unix.so' $SSHD_PAM_CONF || sed -i '$aauth requisite pam_unix.so' $SSHD_PAM_CONF
+grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
+
+systemctl restart sshd
--- a/service/helpers/postrm
+++ b/service/helpers/postrm
@ -0,0 +1,23 @@
+#!/bin/bash
+
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+SSHD_PAM_CONF=/etc/pam.d/sshd
+
+if [ $1 == 'purge' ]
+then
+    if [ -f $RUBLON_CONFIG ]
+    then
+        rm $RUBLON_CONFIG
+    fi
+
+    if [ -f $RUBLON_SSH_CONFIG ]
+    then
+        rm $RUBLON_SSH_CONFIG
+    fi
+fi
+
+sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF
+sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF
+
+deb-systemd-invoke restart ssh.service
--- a/service/helpers/postrm_rhel
+++ b/service/helpers/postrm_rhel
@ -0,0 +1,18 @@
+#!/bin/bash
+
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+SSHD_PAM_CONF=/etc/pam.d/sshd
+if [ -f $RUBLON_CONFIG ]
+then
+	rm $RUBLON_CONFIG
+fi
+
+if [ -f $RUBLON_SSH_CONFIG ]
+then
+	rm $RUBLON_SSH_CONFIG
+fi
+
+sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF
+sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF
+
--- a/service/helpers/postrm_rhel_8
+++ b/service/helpers/postrm_rhel_8
@ -0,0 +1,21 @@
+#!/bin/bash
+
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/01-rublon-ssh.conf
+RUBLON_SSH_CONFIG_D=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+if [ -f $RUBLON_CONFIG ]
+	then
+	rm $RUBLON_CONFIG
+fi
+
+if [ -f $RUBLON_SSH_CONFIG ]
+	then
+	rm $RUBLON_SSH_CONFIG
+fi
+grep -qe 'auth       substack     password-auth' $SSHD_PAM_CONF || sed -i -e 's/#auth substack password-auth/auth       substack     password-auth/g' $SSHD_PAM_CONF
+sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF
+sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF
+sed -i '/auth requisite pam_unix.so/d' $SSHD_PAM_CONF
+sed -i '/Include 01-rublon-ssh.conf/d' $RUBLON_SSH_CONFIG_D
+
Author	SHA1	Message	Date
unknown	7e7634e988	Moved postinstall/em scripts to helepers catalog	2024-06-28 11:19:20 +02:00
unknown	3da2ad391a	Added workaround for wrong generation of rpm	2024-06-28 11:16:34 +02:00