Name:		msec
Version:	0.50.12
%define subrel 1
Release:	%mkrel 1
Summary:	Security Level management for the Mandriva Linux distribution
License:	GPLv2+
Group:		System/Base
Url:		http://www.mandrivalinux.com/
Source0:	%{name}-%{version}.tar.bz2
Source1:	msec.logrotate
Source2:	msec.sh
Source3:	msec.csh
Requires:	perl-base
Requires:	diffutils
Requires:	gawk
Requires:	coreutils
Requires:	iproute2
Requires:	setup >= 2.2.0-21mdk
Requires:	chkconfig >= 1.2.24-3mdk
Requires:	python-base >= 2.3.3-2mdk
Requires:	mailx
Requires:	python
# at least xargs is used
Requires:	findutils

Requires(pre):		rpm-helper >= 0.4
Requires(postun):	rpm-helper >= 0.4

Conflicts:	passwd < 0.67
BuildRequires:	python
BuildRoot:	%{_tmppath}/%{name}-%{version}

%description
The Mandriva Linux Security package is designed to provide generic
secure level to the Mandriva Linux users...  It will permit you to
choose between level 0 to 5 for a less -> more secured distribution.
This packages includes several programs that will be run periodically
in order to test the security of your system and alert you if needed.

%prep
%setup -q

%build
make CFLAGS="$RPM_OPT_FLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"

%install
rm -rf %{buildroot}

install -d %{buildroot}/etc/security/msec
install -d %{buildroot}/etc/sysconfig
install -d %{buildroot}/usr/share/msec
install -d %{buildroot}/var/lib/msec
install -d %{buildroot}/usr/sbin %{buildroot}/usr/bin
install -d %{buildroot}/var/log/security
install -d %{buildroot}%{_mandir}/man{3,8}

cp -p init-sh/cleanold.sh share/*.py share/*.pyo share/level.* cron-sh/*.sh %{buildroot}/usr/share/msec
chmod 644 %{buildroot}/usr/share/msec/{security,diff}_check.sh
install -m 755 share/msec %{buildroot}/usr/sbin
install -m 644 conf/server.* %{buildroot}/etc/security/msec
install -m 644 conf/perm.* %{buildroot}/usr/share/msec
install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find %{buildroot}/usr/bin

install -m644 man/C/*8 %{buildroot}%{_mandir}/man8/
install -m644 man/C/*3 %{buildroot}%{_mandir}/man3/


for i in man/??* ; do
    install -d %{buildroot}%{_mandir}/`basename $i`/man8
    install -m 644 $i/*.8 %{buildroot}%{_mandir}/`basename $i`/man8/
    install -d %{buildroot}%{_mandir}/`basename $i`/man3
    install -m 644 $i/*.3 %{buildroot}%{_mandir}/`basename $i`/man3/ || :
done;


touch %{buildroot}/var/log/security.log %{buildroot}/%{_sysconfdir}/sysconfig/%{name}

mkdir -p %{buildroot}/%{_sysconfdir}/{logrotate.d,profile.d}
install -m 644 %{SOURCE1} %{buildroot}/etc/logrotate.d/msec
install -m 755 %{SOURCE2} %{buildroot}/etc/profile.d
install -m 755 %{SOURCE3} %{buildroot}/etc/profile.d
touch %{buildroot}/var/log/security.log

%find_lang %name

%pre
%_pre_groupadd xgrp
%_pre_groupadd ntools
%_pre_groupadd ctools

%post
touch /var/log/security.log

if [ $1 != 1 ]; then
	# manage spelling change
     for i in /etc/security/msec/level.local /etc/security/msec/security.conf /var/lib/msec/security.conf; do
		if [ -f $i ]; then
			perl -pi -e 's/CHECK_WRITEABLE/CHECK_WRITABLE/g;s/CHECK_SUID_GROUP/CHECK_SGID/g' $i
		fi
	done
	for ext in today yesterday diff; do
		if [ -f /var/log/security/writeable.$ext ]; then
			mv -f /var/log/security/writeable.$ext /var/log/security/writable.$ext
		fi
		if [ -f /var/log/security/suid_group.$ext ]; then
			mv -f /var/log/security/suid_group.$ext /var/log/security/sgid.$ext
		fi
	done

	# find secure level
	SL=$SECURE_LEVEL
 	[ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || :

	# upgrade from old style msec or rerun the new msec
	if grep -q "# Mandrake-Security : if you remove this comment" /etc/profile; then
		[ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' <  /etc/profile.d/msec.sh` || :
		/usr/share/msec/cleanold.sh || :
 		[ -n "$SL" ] && msec $SL < /dev/null || :
	else
		[ -n "$SL" ] && msec < /dev/null || :
	fi

	# remove the old way of doing the daily cron
	rm -f /etc/cron.d/msec
fi

%postun

if [ $1 = 0 ]; then
	# cleanup crontabs on package removal
	rm -f /etc/cron.d/msec /etc/cron.hourly/msec /etc/cron.daily/msec
fi

%_postun_groupdel xgrp
%_postun_groupdel ntools
%_postun_groupdel ctools

%clean
rm -rf %{buildroot}

%files -f %{name}.lang
%defattr(-,root,root)
%doc AUTHORS COPYING share/README share/CHANGES
%doc ChangeLog doc/*.txt
%_bindir/promisc_check
%_bindir/msec_find
%_sbindir/msec
%_datadir/msec
%_mandir/*/*.*
%lang(cs) %_mandir/cs/man?/*
%lang(et) %_mandir/et/man?/*
%lang(eu) %_mandir/eu/man?/*
%lang(fi) %_mandir/fi/man?/*
%lang(fr) %_mandir/fr/man?/*
%lang(it) %_mandir/it/man?/*
%lang(nl) %_mandir/nl/man?/*
%lang(pl) %_mandir/pl/man?/*
%lang(ru) %_mandir/ru/man?/*
%lang(uk) %_mandir/uk/man?/*


%dir /var/log/security
%dir /etc/security/msec
%dir /var/lib/msec

%config(noreplace) /etc/security/msec/*
%config(noreplace) /etc/logrotate.d/msec
/etc/profile.d/msec*
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}

%ghost /var/log/security.log






%changelog
* Thu Feb 25 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.50.12-1.1mdv2009.0
- built for updates

* Wed Feb 24 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.50.12-1mdv2009.0
+ Revision: 510609
- 0.50.12:
- Crrectly change file permissions (#57793)

* Mon Jan 05 2009 Vincent Danen <vdanen@mandriva.com> 0.50.11-1.1mdv2009.0
+ Revision: 325087
- build for updates

  + Eugeni Dodonov <eugeni@mandriva.com>
    - 0.50.11
    - Correctly handle permit_root_login in sshd_config on level change
      (#19726).
    - Handle multibyte characters in msec reports (#26773).

  + root <root>
    - Branching 2009.0 release for updates.

* Tue Sep 30 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.10-1mdv2009.0
+ Revision: 290111
- cron entry:
  o blacklist cifs instead of only smbfs for samba
  o exclude /media from searching like /mnt is
  o run with idle IOnice priority (#42795)

* Tue Jun 17 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.9-2mdv2009.0
+ Revision: 223324
- rebuild

* Tue Mar 25 2008 Pixel <pixel@mandriva.com> 0.50.9-1mdv2008.1
+ Revision: 189939
- 0.50.9: do not allow msec to mess with umask=xxx for vfat in level 3 (#37222)

* Fri Mar 07 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.8-1mdv2008.1
+ Revision: 181183
- use ionice to reduce I/O pressure when running msec_find and rpm -Va
- packaging cleanups

* Fri Jan 25 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.7-1mdv2008.1
+ Revision: 157928
- 0.50.7: build msec_find with large file support (#36047)

* Fri Jan 25 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.6-1mdv2008.1
+ Revision: 157908
- 0.50.6: strip binary chars from report email (#36848)

* Fri Jan 11 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.5-1mdv2008.1
+ Revision: 148730
- fix infinitely growing kdmrc with set variable AllowShutdown to None (#12821)

* Fri Jan 11 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.4-1mdv2008.1
+ Revision: 148599
- updated to version 0.50.4, which fixes the following:
  - Argument list too long (#36656)
  - msec_find should exclude pipes and sockets when
    reporting writable files (#27530)
  - msec diff (diff_check.sh)  does not take into
    account the chkrootkit reports (#21369)
  - netstat check for open ports doesnt pick up ports
    on ipv6 addr (#19486)
  - need to resolve symlinks before testing for local
    filesystems (#14387)

  + Olivier Blin <oblin@mandriva.com>
    - restore BuildRoot

  + Thierry Vignaud <tvignaud@mandriva.com>
    - kill re-definition of %%buildroot on Pixel's request

* Tue Nov 13 2007 Adam Williamson <awilliamson@mandriva.org> 0.50.3-2mdv2008.1
+ Revision: 108377
- requires python (#35485)
- new license policy


* Mon Mar 05 2007 Guillaume Rousse <guillomovitch@mandriva.org> 0.50.3-1mdv2007.0
+ Revision: 132893
- drop useless and redundant file dependencies
- new version
  spec cleanup

* Mon Mar 05 2007 Olivier Thauvin <nanardon@mandriva.org> 0.50.2-1mdv2007.1
+ Revision: 132772
- 0.50.2: fix (#27956 and #12353)

* Sat Aug 12 2006 Olivier Thauvin <nanardon@mandriva.org> 0.50.1-1mdv2007.0
+ Revision: 55666
- 0.50.1

  + Nicolas Lécureuil <neoclust@mandriva.org>
    - Fix manpages (close ticket #17430)

* Sat Aug 05 2006 Olivier Thauvin <nanardon@mandriva.org> 0.50.0-1mdv2007.0
+ Revision: 52699
- 0.50.0
- Import msec

* Fri Nov 18 2005 Frederic Lepied <flepied@mandriva.com> 0.49.1-1mdk
- fix bug #17921

* Mon Nov 14 2005 Frederic Lepied <flepied@mandriva.com> 0.49-1mdk
- scripts in /etc/profile.d no more config files
- fix bug #19206 by really generating /var/lib/msec/security.conf

* Tue Sep 20 2005 Frederic Lepied <flepied@mandriva.com> 0.48-1mdk
- enable_pam_root_from_wheel: fixed too laxist config in level 2 (bug #18403).

* Sat Sep 10 2005 Frederic Lepied <flepied@mandriva.com> 0.47.5-1mdk
- remove debugging output

* Fri Sep 09 2005 Frederic Lepied <flepied@mandriva.com> 0.47.4-1mdk
- fixed security.conf path (bug #18271).
- security.sh fix parsing of rpm -Va (bug #18326 , Michael Reinsch).
- security.sh: don't check sysfs and usbfs file system (bug #14359).
- make msec.sh bourne shell compatible.
- allow_xserver_to_listen: adapt to new way of specifying X server
arguments for kdm (bug #15759).

* Fri Sep 02 2005 Frederic Lepied <flepied@mandriva.com> 0.47.3-1mdk
- make /etc/rc.d/init.d/functions always readable (bug #18080)

* Thu Aug 18 2005 Frederic Lepied <flepied@mandriva.com> 0.47.2-1mdk
- another fix for bug #17477

* Wed Aug 17 2005 Frederic Lepied <flepied@mandriva.com> 0.47.1-1mdk
- really fix bug #17477

* Sat Aug 13 2005 Frederic Lepied <flepied@mandriva.com> 0.47-1mdk
- security_check.sh: fix user or homedir with spaces in
  (bug #16237).
- perm.*: o /etc/rc.d/init.d/xprint exception
          o  manage apache files (Guillaume Rousse) (bug #12183)
- allow_user_list: fixed kdmrc settings.
- support new inittab syntax for single user mode.
- fix parsing of new chage output (bug #17477).
- Perms.py: more robust parsing
- fixed wrong kdmrc values (bug #16268).
- follow new Single user need in inittab.

* Sat Jun 18 2005 Frederic Lepied <flepied@mandriva.com> 0.46-1mdk
- Mandriva
- new function enable_pam_root_from_wheel to allow transparent root
  access for the wheel group members.

* Mon Mar 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45.1-1mdk
- allow to use the variable CHKROOTKIT_OPTION as an argument to
chkrootkit (Michael, bug #12687).
- fixed documentation of the use of the current keyword (bug #12866).
- fixed password_history.

* Mon Feb 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45-1mdk
- requires mailx (bug #13497).
- fixed the permissions of sendmail symlinks (bug #13515).
- allow to put an EXCLUDE_REGEXP variable in
/etc/security/msec/security.conf to be used in msec_find (bug #508).

* Fri Oct 01 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.2-1mdk
- fix allow_reboot

* Sat Jul 31 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.1-1mdk
- fix directory creation code

* Sat Jul 31 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44-1mdk
- new function allow_xauth_from_root
- the perm.local config file is now forcing permissions even if it's lowering the security.
- install translated man pages
- Mandrakelinux/Mandrakesoft

* Thu Jul 08 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.43-1mdk
- fixed again mailman permissions for mailman in level 3 (bug #9319)
- use getent to parse the passwd database (bug #9904)
- fix msec.csh (Pixel)
- more servers in level 4 (Florin)

* Sat Apr 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.2-1mdk
- corrected mailman log permissions (Guillaume Rousse bug #9319)

* Sun Mar 21 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.1-1mdk
- check files on / in the daily check (workaround strange ntfw bug #9121)