!42 [sync] PR-41: enable selinux to fix cockpit login failed

From: @openeuler-sync-bot 
Reviewed-by: @leeffo 
Signed-off-by: @leeffo

cockpit.spec

@@ -1,26 +1,41 @@
-%global         __requires_exclude_from     ^%{_libexecdir}/cockpit-client$
+%define required_base 266
+%define _hardened_build 1
+%define __lib lib
+%if %{defined _pamdir}
+%define pamdir %{_pamdir}
+%else
+%define pamdir %{_libdir}/security
+%endif
 %bcond_with     pcp
 
 Name:           cockpit
 Version:        285
-Release:        1
+Release:        2
 Summary:        A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
 License:        LGPLv2+
 URL:            https://cockpit-project.org/
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
+%define build_basic 1
+%define build_optional 1
+
+%if "%{name}" == "cockpit"
+%define selinuxtype targeted
+%define selinux_configure_arg --enable-selinux-policy=%{selinuxtype}
+%endif
 
 BuildRequires:  gcc
 BuildRequires:  pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
 BuildRequires:  autoconf automake python3 intltool libssh-devel >= 0.7.1 openssl-devel zlib-devel krb5-devel
 BuildRequires:  libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.50.0
 BuildRequires:  systemd-devel krb5-server xmlto gnutls-devel >= 3.6.0
-
+BuildRequires:  gettext >= 0.21 openssh-clients gdb
 %if %{with pcp}
 BuildRequires:  pcp-libs-devel
 %endif
-
+BuildRequires:  selinux-policy selinux-policy-devel
 Requires:       glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.50.0
 Requires:       python3 python3-dbus systemd udisks2 >= 2.6 libvirt libvirt-client PackageKit
+Requires:       cockpit-bridge cockpit-ws cockpit-system
 
 Provides:       %{name}-networkmanager %{name}-selinux %{name}-sosreport %{name}-dashboard = %{version}-%{release}
 Provides:       %{name}-machines = %{version}-%{release} %{name}-machines-ovirt = %{version}-%{release} %{name}-shell %{name}-systemd
@@ -41,6 +56,134 @@ Conflicts:      %{name}-dashboard < 170.x %{name}-ws < 135 firewalld < 0.6.0-1
 Recommends:     polkit NetworkManager-team setroubleshoot-server >= 3.3.3 sscg >= 2.3 system-logos
 Recommends:     udisks2-lvm2 >= 2.6 udisks2-iscsi >= 2.6 device-mapper-multipath clevis-luks virt-install
 
+%prep
+%setup -q -n cockpit-%{version}
+
+%build
+%configure \
+    %{?selinux_configure_arg} \
+    --with-cockpit-user=cockpit-ws \
+    --with-cockpit-ws-instance-user=cockpit-wsinstance \
+    --with-pamdir='%{pamdir}' \
+    --docdir=%_defaultdocdir/%{name} \
+%if 0%{?build_basic} == 0
+    --disable-ssh \
+%endif
+%if %{without pcp}
+  --disable-pcp
+%endif
+
+%make_build
+
+%check
+%if %{?_with_check:1}%{!?_with_check:0}
+%make_build check
+%endif
+
+%install
+%make_install
+make install-tests DESTDIR=%{buildroot}
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
+install -p -m 644 tools/cockpit.pam $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/cockpit
+rm -f %{buildroot}/%{_libdir}/cockpit/*.so
+install -D -p -m 644 AUTHORS COPYING README.md %{buildroot}%{_docdir}/cockpit/
+
+# Build the package lists for resource packages
+# cockpit-bridge is the basic dependency for all cockpit-* packages, so centrally own the page directory
+echo '%dir %{_datadir}/cockpit' > base.list
+echo '%dir %{_datadir}/cockpit/base1' >> base.list
+find %{buildroot}%{_datadir}/cockpit/base1 -type f -o -type l >> base.list
+echo '%{_sysconfdir}/cockpit/machines.d' >> base.list
+echo %{buildroot}%{_datadir}/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy >> base.list
+echo '%dir %{_datadir}/cockpit/ssh' >> base.list
+find %{buildroot}%{_datadir}/cockpit/ssh -type f >> base.list
+echo '%{_libexecdir}/cockpit-ssh' >> base.list
+
+%if %{with pcp}
+echo '%dir %{_datadir}/cockpit/pcp' > pcp.list
+find %{buildroot}%{_datadir}/cockpit/pcp -type f >> pcp.list
+%endif
+
+echo '%dir %{_datadir}/cockpit/tuned' > system.list
+find %{buildroot}%{_datadir}/cockpit/tuned -type f >> system.list
+
+echo '%dir %{_datadir}/cockpit/shell' >> system.list
+find %{buildroot}%{_datadir}/cockpit/shell -type f >> system.list
+
+echo '%dir %{_datadir}/cockpit/systemd' >> system.list
+find %{buildroot}%{_datadir}/cockpit/systemd -type f >> system.list
+
+echo '%dir %{_datadir}/cockpit/users' >> system.list
+find %{buildroot}%{_datadir}/cockpit/users -type f >> system.list
+
+echo '%dir %{_datadir}/cockpit/metrics' >> system.list
+find %{buildroot}%{_datadir}/cockpit/metrics -type f >> system.list
+
+echo '%dir %{_datadir}/cockpit/kdump' > kdump.list
+find %{buildroot}%{_datadir}/cockpit/kdump -type f >> kdump.list
+
+echo '%dir %{_datadir}/cockpit/sosreport' > sosreport.list
+find %{buildroot}%{_datadir}/cockpit/sosreport -type f >> sosreport.list
+
+echo '%dir %{_datadir}/cockpit/storaged' > storaged.list
+find %{buildroot}%{_datadir}/cockpit/storaged -type f >> storaged.list
+
+echo '%dir %{_datadir}/cockpit/networkmanager' > networkmanager.list
+find %{buildroot}%{_datadir}/cockpit/networkmanager -type f >> networkmanager.list
+
+echo '%dir %{_datadir}/cockpit/packagekit' > packagekit.list
+find %{buildroot}%{_datadir}/cockpit/packagekit -type f >> packagekit.list
+
+echo '%dir %{_datadir}/cockpit/apps' >> packagekit.list
+find %{buildroot}%{_datadir}/cockpit/apps -type f >> packagekit.list
+
+echo '%dir %{_datadir}/cockpit/selinux' > selinux.list
+find %{buildroot}%{_datadir}/cockpit/selinux -type f >> selinux.list
+
+echo '%dir %{_datadir}/cockpit/playground' > tests.list
+find %{buildroot}%{_datadir}/cockpit/playground -type f >> tests.list
+
+echo '%dir %{_datadir}/cockpit/static' > static.list
+echo '%dir %{_datadir}/cockpit/static/fonts' >> static.list
+find %{buildroot}%{_datadir}/cockpit/static -type f >> static.list
+
+# when not building basic packages, remove their files
+%if 0%{?build_basic} == 0
+for pkg in base1 branding motd kdump networkmanager selinux shell sosreport ssh static systemd users metrics; do
+    rm -r %{buildroot}/%{_datadir}/cockpit/$pkg
+    rm -f %{buildroot}/%{_datadir}/metainfo/org.cockpit-project.cockpit-${pkg}.metainfo.xml
+done
+for data in doc man pixmaps polkit-1; do
+    rm -r %{buildroot}/%{_datadir}/$data
+done
+rm -r %{buildroot}/%{_prefix}/%{__lib}/tmpfiles.d
+find %{buildroot}/%{_unitdir}/ -type f ! -name 'cockpit-session*' -delete
+for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-tls cockpit-wsinstance-factory cockpit-client cockpit-client.ui cockpit-desktop cockpit-certificate-helper cockpit-certificate-ensure; do
+    rm %{buildroot}/%{_libexecdir}/$libexec
+done
+rm -r %{buildroot}/%{_sysconfdir}/pam.d %{buildroot}/%{_sysconfdir}/motd.d %{buildroot}/%{_sysconfdir}/issue.d
+rm -f %{buildroot}/%{_libdir}/security/pam_*
+rm %{buildroot}/usr/bin/cockpit-bridge
+rm -f %{buildroot}%{_libexecdir}/cockpit-ssh
+rm -f %{buildroot}%{_datadir}/metainfo/cockpit.appdata.xml
+%endif
+
+# when not building optional packages, remove their files
+%if 0%{?build_optional} == 0
+for pkg in apps packagekit playground storaged; do
+    rm -rf %{buildroot}/%{_datadir}/cockpit/$pkg
+done
+# files from -tests
+rm -f %{buildroot}/%{pamdir}/mock-pam-conv-mod.so
+rm -f %{buildroot}/%{_unitdir}/cockpit-session.socket
+rm -f %{buildroot}/%{_unitdir}/cockpit-session@.service
+# files from -storaged
+rm -f %{buildroot}/%{_prefix}/share/metainfo/org.cockpit-project.cockpit-storaged.metainfo.xml
+%endif
+
+sed -i "s|%{buildroot}||" *.list
+rm -rf %{buildroot}/usr/src/debug
+
 %description
 Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse.
 It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.
@@ -78,48 +221,27 @@ Obsoletes:      %{name}-doc < %{version}-%{release}
 This package helps you to deploy %{name} and contains some
 man help files.
 
-%prep
-%autosetup -n %{name}-%{version} -p1
-
-%build
-%configure --disable-silent-rules --with-cockpit-user=cockpit-ws --with-selinux-config-type=etc_t \
-  --with-cockpit-ws-instance-user=cockpit-wsinstance \
-  --with-appstream-data-packages='[ "appstream-data" ]' --with-nfs-client-package='"nfs-utils"' --with-vdo-package='"vdo"' \
-%if %{without pcp}
-  --disable-pcp
-%endif
-
-%make_build
-
-%check
-%if %{?_with_check:1}%{!?_with_check:0}
-%make_build check
-%endif
-
-%install
-%make_install
-make install-tests DESTDIR=%{buildroot}
-
-install -Dpm644 tools/cockpit.pam %{buildroot}%{_sysconfdir}/pam.d/cockpit
-
-echo '{ "linguas": null }' > %{buildroot}%{_datadir}/cockpit/shell/override.json
-
 %pre
 getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d / -s /sbin/nologin -c "User for cockpit-ws" cockpit-ws
+getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
 getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d / -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
+getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
+
+if %{_sbindir}/selinuxenabled 2>/dev/null; then
+    %selinux_relabel_pre -s %{selinuxtype}
+fi
 
 %post
-if [ ! -f "%{_sysconfdir}/%{name}/ws-certs.d/0-self-signed.key" ]; then
+if [ -x %{_sbindir}/selinuxenabled ]; then
-    # The certificate is not available when upgrading from an older version and needs to be recreated
+    %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-    %{__rm} -f %{_sysconfdir}/%{name}/ws-certs.d/{0-self-signed.cert,0-self-signed-ca.pem}
+    %selinux_relabel_post -s %{selinuxtype}
 fi
 
 %tmpfiles_create cockpit-tempfiles.conf
 %systemd_post cockpit.socket cockpit.service
-# cannot use systemctl because it might be out of sync with reality
+# firewalld only partially picks up changes to its services files without this
 test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
+
 # check for deprecated PAM config
 if grep --color=auto pam_cockpit_cert %{_sysconfdir}/pam.d/cockpit; then
     echo '**** WARNING:'
@@ -128,17 +250,15 @@ if grep --color=auto pam_cockpit_cert %{_sysconfdir}/pam.d/cockpit; then
     echo '**** WARNING:'
 fi
 
-%if %{with pcp}
-%post pcp
-/usr/share/pcp/lib/pmlogger condrestart
-%endif
-
 %preun
 %systemd_preun cockpit.socket cockpit.service
 
 %postun
-%systemd_postun_with_restart cockpit.socket
+if [ -x %{_sbindir}/selinuxenabled ]; then
-%systemd_postun_with_restart cockpit.service
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%systemd_postun_with_restart cockpit.socket cockpit.service
 
 %files
 %if %{without pcp}
@@ -181,6 +301,9 @@ fi
 %{_unitdir}/cockpit-session.socket
 %{_unitdir}/cockpit-session@.service
 %{_datadir}/metainfo/org.cockpit-project.cockpit-networkmanager.metainfo.xml
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%{_mandir}/man8/%{name}_session_selinux.8cockpit.*
+%{_mandir}/man8/%{name}_ws_selinux.8cockpit.*
 
 %if %{with pcp}
 %files pcp
@@ -200,6 +323,12 @@ fi
 %doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz}
 
 %changelog
+* Tue Mar 28 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 285-2
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC:enable selinux to fix cockpit login failed
+
 * Mon Feb 27 2023 lvcongqing <lvcongqing@uniontech.com> - 285-1
 - Type:NA
 - ID:NA