File _service:obs_scm:fail2ban.spec of Package fail2ban

Name: fail2ban
Version: 0.11.2
Release: 1
Summary: Daemon to ban hosts that cause multiple authentication errors

License: GPLv2+
URL: http://fail2ban.sourceforge.net/
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
# SELinux policy
Source1: fail2ban.fc
Source2: fail2ban.if
Source3: fail2ban.te
Source4: Makefile
# Give up being PartOf iptables and ipset for now
# https://bugzilla.redhat.com/show_bug.cgi?id=1379141
# https://bugzilla.redhat.com/show_bug.cgi?id=1573185
Patch0: fail2ban-partof.patch

BuildArch: noarch

BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: /usr/bin/2to3
# For testcases
BuildRequires: python3-inotify
BuildRequires: sqlite
BuildRequires: systemd
BuildRequires: selinux-policy-devel

# Default components
Requires: %{name}-firewalld = %{version}-%{release}
Requires: %{name}-sendmail = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
# Currently this breaks jails that don't log to the journal
#Requires: %{name}-systemd = %{version}-%{release}

%description
Fail2Ban scans log files and bans IP addresses that makes too many password
failures. It updates firewall rules to reject the IP address. These rules can
be defined by the user. Fail2Ban can read multiple log files such as sshd or
Apache web server ones.

Fail2Ban is able to reduce the rate of incorrect authentications attempts
however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication
mechanisms if you really want to protect services.

This is a meta-package that will install the default configuration.  Other
sub-packages are available to install support for other actions and
configurations.

%package selinux
Summary: SELinux policies for Fail2Ban
%{?selinux_requires}
%global modulename fail2ban
%global selinuxtype targeted

%description selinux
SELinux policies for Fail2Ban.

%package server
Summary: Core server component for Fail2Ban
Requires: python3-systemd
Requires: nftables
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description server
This package contains the core server components for Fail2Ban with minimal
dependencies.  You can install this directly if you want to have a small
installation and know what you are doing.

%package all
Summary: Install all Fail2Ban packages and dependencies
Requires: %{name}-firewalld = %{version}-%{release}
Requires: %{name}-hostsdeny = %{version}-%{release}
Requires: %{name}-mail = %{version}-%{release}
Requires: %{name}-sendmail = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
Requires: %{name}-shorewall = %{version}-%{release}
# Currently this breaks jails that don't log to the journal
#Requires: %{name}-systemd = %{version}-%{release}
Requires: perl-interpreter
Requires: python3-inotify
Requires: /usr/bin/whois

%description all
This package installs all of the Fail2Ban packages and dependencies.

%package firewalld
Summary: Firewalld support for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: firewalld

%description firewalld
This package enables support for manipulating firewalld rules.  This is the
default firewall service in openEuler.

%package hostsdeny
Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: ed
Requires: tcp_wrappers

%description hostsdeny
This package enables support for manipulating tcp_wrapper's /etc/hosts.deny
files.

%package tests
Summary: Fail2Ban testcases
Requires: %{name}-server = %{version}-%{release}

%description tests
This package contains Fail2Ban's testscases and scripts.

%package mail
Summary: Mail actions for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: mailx

%description mail
This package installs Fail2Ban's mail actions.  These are an alternative
to the default sendmail actions.

%package sendmail
Summary: Sendmail actions for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: /usr/sbin/sendmail

%description sendmail
This package installs Fail2Ban's sendmail actions.  This is the default
mail actions for Fail2Ban.

%package shorewall
Summary: Shorewall support for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: shorewall
Conflicts: %{name}-shorewall-lite

%description shorewall
This package enables support for manipulating shorewall rules.

%package shorewall-lite
Summary: Shorewall lite support for Fail2Ban
Requires: %{name}-server = %{version}-%{release}
Requires: shorewall-lite
Conflicts: %{name}-shorewall

%description shorewall-lite
This package enables support for manipulating shorewall rules.

%package systemd
Summary: Systemd journal configuration for Fail2Ban
Requires: %{name}-server = %{version}-%{release}

%description systemd
This package configures Fail2Ban to use the systemd journal for its log input
by default.

%prep
%autosetup -p1

# Use Fedora paths
sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
%if 0%{?openEuler}
2to3 --write --nobackups .
find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +
%endif

# SELinux sources
cp -p %SOURCE1 %SOURCE2 %SOURCE3 .
sed -i "/use_2to3/d" setup.py

%build
%py3_build
make -f %SOURCE4

%install
%py3_install
ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python

mkdir -p %{buildroot}%{_unitdir}
cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
mkdir -p %{buildroot}%{_mandir}/man{1,5}
install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
install -d -m 0755 %{buildroot}/run/fail2ban/
install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
mkdir -p %{buildroot}%{_tmpfilesdir}
install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf

# Remove non-Linux actions
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf

# Remove config files for other distros
rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf

# firewalld configuration
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
EOF

# systemd journal configuration
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
# This file is part of the fail2ban-systemd package to configure the use of
# the systemd journal as the default backend.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not want to use the
# journal backend
[DEFAULT]
backend=systemd
EOF

# Remove installed doc, use doc macro instead
rm -r %{buildroot}%{_docdir}/%{name}

# SELinux
# install policy modules
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}

#%check
#%if 0%{?rhel} && 0%{?rhel} < 8
#%python2 bin/fail2ban-testcases --verbosity=2 --no-network
#%else
#%python3 bin/fail2ban-testcases --verbosity=2 --no-network
#%endif

%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2

%postun selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi

%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}

%post server
%systemd_post fail2ban.service

%preun server
%systemd_preun fail2ban.service

%postun server
%systemd_postun_with_restart fail2ban.service

%files

%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%license COPYING

%files server
%doc README.md TODO ChangeLog COPYING doc/*.txt
%{_bindir}/fail2ban-client
%{_bindir}/fail2ban-python
%{_bindir}/fail2ban-regex
%{_bindir}/fail2ban-server
%{python3_sitelib}/*
%exclude %{python3_sitelib}/fail2ban/tests
%{_unitdir}/fail2ban.service
%{_mandir}/man1/fail2ban.1*
%{_mandir}/man1/fail2ban-client.1*
%{_mandir}/man1/fail2ban-python.1*
%{_mandir}/man1/fail2ban-regex.1*
%{_mandir}/man1/fail2ban-server.1*
%{_mandir}/man5/*.5*
%config(noreplace) %{_sysconfdir}/fail2ban
%exclude %{_sysconfdir}/fail2ban/action.d/complain.conf
%exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
%exclude %{_sysconfdir}/fail2ban/action.d/mail.conf
%exclude %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf
%exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
%exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf
%exclude %{_sysconfdir}/fail2ban/jail.d/*.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
%{_tmpfilesdir}/fail2ban.conf
%dir %{_localstatedir}/lib/fail2ban/
%dir /run/%{name}/
%ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid

%files all

%files firewalld
%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-firewalld.conf

%files hostsdeny
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf

%files tests
%{_bindir}/fail2ban-testcases
%{_mandir}/man1/fail2ban-testcases.1*
%{python3_sitelib}/fail2ban/tests

%files mail
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail.conf
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf

%files sendmail
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf

%files shorewall
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf

%files shorewall-lite
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf

%files systemd
%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf

%changelog
* Tue Jun 07 2022 Haowu Ge <gehaowu@bitmoe.com> - 0.11.2-1
- Initial Package (Spec file by EPEL Project, patch by Haowu Ge & BitMOE Inc.)