## START: Set by rpmautospec ## (rpmautospec version 0.8.1) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: release_number = 4; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} ## END: Set by rpmautospec #controls whether or not cracklib will be used during the build of the package #building without cracklib will result in the package not having the #deny_easy_pass functionality (checking for easily crackable passwords #using cracklib and dictionaries) %bcond_without cracklib #holds the selinux type of targeted for ease of access and modification #if the selinux policy changes %global selinuxtype targeted %global with_selinux 1 #postgresql version and majorversion to build with %global postgres_major_version 16 %global postgres_version %{postgres_major_version}.8 #postgresql conditions for easy handling of %%configure #during the build of postgresql %{!?upgrade:%global upgrade 1} %{!?plpython3:%global plpython3 1} %{!?pltcl:%global pltcl 1} %{!?plperl:%global plperl 1} %{!?ssl:%global ssl 1} %{!?icu:%global icu 1} %{!?kerberos:%global kerberos 1} %{!?ldap:%global ldap 1} %{!?nls:%global nls 1} %{!?uuid:%global uuid 1} %{!?xml:%global xml 1} %{!?pam:%global pam 1} %{!?selinux:%global selinux 1} %global upstream_name credcheck Name: postgresql%{postgres_major_version}-%{upstream_name} Version: 3.0 Release: %autorelease Summary: PostgreSQL extension for credential checking License: PostgreSQL URL: https://github.com/HexaCluster/%{upstream_name} Source0: https://github.com/HexaCluster/%{upstream_name}/archive/refs/tags/v%{version}.tar.gz Source2: https://ftp.postgresql.org/pub/source/v%{postgres_version}/postgresql-%{postgres_version}.tar.bz2 %if %{with cracklib} #a SELinux rule template to enable reading of the dictionaries #provided by the cracklib-dict package #an augmented version of the rule used by cracklib-password-check-plugin #for mariadb: https://mariadb.com/kb/en/cracklib-password-check-plugin/ Source1: %{upstream_name}.cil #patch containing the changes to the Makefile necessary to compile the package #to use the cracklib package as mentioned in README.md on lines 42 and 43 #https://github.com/HexaCluster/credcheck/blob/master/README.md Patch0: enable_cracklib.patch %endif #patch containing the latest license change taken from commit: #https://github.com/HexaCluster/credcheck/commit/db7c811a02f286b9ba3e81a219826bf47eca6d4e Patch1: upstream_db7c811a02f286b9ba3e81a219826bf47eca6d4e.patch #patch conatining the extra flag for the make process to include link #time optimization to make sure the code is optimized during linking #https://en.wikipedia.org/wiki/Interprocedural_optimization#WPO_and_LTO Patch2: lto_optimization.patch #BuildRequires for postgresql BuildRequires: lz4-devel BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk BuildRequires: perl(ExtUtils::Embed), perl-devel BuildRequires: perl(Opcode) BuildRequires: perl-generators BuildRequires: readline-devel zlib-devel BuildRequires: multilib-rpm-config BuildRequires: docbook-style-xsl #aditional BuildRequires for postgresql that can be #turned off using the vars above %if %plpython3 BuildRequires: python3-devel %endif %if %pltcl BuildRequires: tcl-devel %endif %if %ssl BuildRequires: openssl-devel %endif %if %kerberos BuildRequires: krb5-devel %endif %if %ldap BuildRequires: openldap-devel %endif %if %nls BuildRequires: gettext >= 0.10.35 %endif %if %uuid BuildRequires: uuid-devel %endif %if %xml BuildRequires: libxml2-devel libxslt-devel %endif %if %pam BuildRequires: pam-devel %endif %if %selinux BuildRequires: libselinux-devel %endif %if %icu BuildRequires: libicu-devel %endif BuildRequires: make gcc %if %{with cracklib} BuildRequires: cracklib-devel cracklib-dicts %endif Requires: postgresql-server > 15 postgresql-server < 17 %if %{with cracklib} Requires: cracklib-dicts %if 0%{?with_selinux} Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %endif %endif %description The credcheck PostgreSQL extension provides few general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, we can define a set of rules: allow a specific set of credentials reject a certain type of credentials deny password that can be easily cracked enforce use of an expiration date with a minimum of day for a password define a password reuse policy define the number of authentication failure allowed before a user is banned This extension provides all the checks as configurable parameters. The default configuration settings, will not enforce any complex checks and will try to allow most of the credentials. By using SET credcheck. TO ; command, enforce new settings for the credential checks. The settings can only be changed by a superuser. %if %{with cracklib} && 0%{?with_selinux} #The SELinux subpackage %package selinux Summary: %{upstream_name} SELinux policy BuildArch: noarch BuildRequires: selinux-policy-%{selinuxtype} Requires: selinux-policy-%{selinuxtype} Recommends: %{upstream_name} = %{version}-%{release} Requires(post): libselinux-utils selinux-policy-%{selinuxtype} policycoreutils %description selinux SELinux policy for the %{upstream_name} to ensure the dictionaries installed by the cracklib-dicts package are reachable by this package. %endif %prep %setup -q -n %{upstream_name}-%{version} -a 2 %if %{with cracklib} %patch -P0 -p1 %endif %patch -P1 -p1 %patch -P2 -p1 %build #the build of postgresql cd postgresql-%{postgres_version} common_configure_options=' --disable-rpath %if %plperl --with-perl %endif %if %pltcl --with-tcl --with-tclconfig=/usr/%_lib %endif %if %ldap --with-ldap %endif %if %ssl --with-openssl %endif %if %pam --with-pam %endif %if %kerberos --with-gssapi %endif %if %uuid --with-ossp-uuid %endif %if %xml --with-libxml --with-libxslt %endif %if %nls --enable-nls %endif %if %selinux --with-selinux %endif --with-system-tzdata=/usr/share/zoneinfo --datadir=%_datadir/pgsql --with-lz4 %if %icu --with-icu %endif %if %plpython3 --with-python %endif ' #holds the installed files from postgresql mkdir /tmp/pgsql #configures postgresql %configure $common_configure_options #builds postgresql %make_build #installs the files provided by postgresql into /tmp/pgsql make install DESTDIR=/tmp/pgsql cd .. #the build of credcheck starts here #this provides the absolute path to pg_config which is required to build credcheck %make_build PG_CONFIG=/tmp/pgsql%{_bindir}/pg_config %install %make_install PG_CONFIG=/tmp/pgsql%{_bindir}/pg_config #creates the credcheck file to contain the patches mkdir -p %{buildroot}%{_datadir}/%{upstream_name} #creates the directories needed for the files of credcheck mkdir -p %{buildroot}%{_datadir}/pgsql/extension mkdir -p %{buildroot}%{_libdir}/pgsql #moves the installed files from the dummy dir containing the local build #of postgresql into their proper places mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}--*--*.sql %{buildroot}%{_datadir}/%{upstream_name} mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}--%{version}.0.sql %{buildroot}%{_datadir}/pgsql/extension mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}.control %{buildroot}%{_datadir}/pgsql/extension mv %{buildroot}/tmp/pgsql%{_libdir}/postgresql/%{upstream_name}.so %{buildroot}%{_libdir}/pgsql/ %if %{with cracklib} && 0%{?with_selinux} install -D -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil %endif #cleans up the local build of postgresql rm -rf %{buildroot}/tmp %if %{with cracklib} && 0%{?with_selinux} #installing selinux rules %post selinux %selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil #removing selinux rules %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{upstream_name} fi %endif %files %doc README.md %license LICENSE %{_libdir}/pgsql/%{upstream_name}.so %{_datadir}/pgsql/extension/%{upstream_name}--%{version}.0.sql %{_datadir}/pgsql/extension/%{upstream_name}.control %{_datadir}/%{upstream_name}/%{upstream_name}--*--*.sql %dir %{_datadir}/%{upstream_name} %if %{with cracklib} && 0%{?with_selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{upstream_name} %endif %changelog ## START: Generated by rpmautospec * Fri May 16 2025 Pavol Sloboda - 3.0-4 - Uncommitted changes * Fri May 16 2025 Pavol Sloboda - 3.0-3 - Added the necessary build for postgresql to acommodate the modularity of epel8 This means: * a minimal build of postgresql16 inside the build phase * "installation" of said builds files into a temporary dir (/tmp/pgsql) to ease it's deletion later * passing the pg_config files location as an rgument to the %%make_build and %%make_install of credcheck * creation of all the necessary directories since ppostgresql is located in a weird spot so they won't be created by it * moving all the necessary files of credcheck: - credcheck.control - credcheck.so - credcheck--%%{version}.0.sql - credcheck--*--*.sql (the "update" files) to their proper place as they will be installed inside the dir that postgresql is in, this cannot be overriden using destdir or any other means known to me and is caused by the call of pgxs.mk provided by postgresql-server-devel inside the makefile of credcheck (the location of pgxs.mk can be found using: /usr/bin/pg_config --pgxs) * removing the installed files of postgresql16 (as mentioned above they are all in /tmp/pgsql) * Thu May 15 2025 Pavol Sloboda - 3.0-2 - Changed the filepath inside the lto_optimization patch since the target file cannot be found without using autosetup inside the spec file. * Tue May 13 2025 Pavol Sloboda - 3.0-1 - Initial commit conatining the clone of the rwarhide branch with a new source of postgresql 16.8 and the removal of Requires and BuildRequires of postgresql-server and postgresql-server-devel to get around the modularity of epel8 during build ## END: Generated by rpmautospec