Local additions to spec files and removing unnecessary files install in _sysconfigdir

chigurh · June 24, 2019, 6:04am

G’day.

I modified specs file from suricata src.rpm, added some build options and fixed missing install of suricata-update. I built the package, installed it and tested it. I will like to add some additional unbundled local conf files related to suricata-update and install those in _sysconfigdir but when I try adding those files there are several errors about BUILDROOT not having those files. Please let me know how to do this

Here is the modified suricata.spec

#
# spec file for package suricata
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%if 0%{?suse_version} > 1500
%ifarch %{ix86} x86_64
%bcond_with hyperscan
%endif
%endif

Name:           suricata
Version:           4.1.4
Release:          1.15
Summary:        Open Source Next Generation Intrusion Detection and Prevention Engine
License:           GPL-2.0-only
Group:             Productivity/Networking/Security
URL:                https://www.openinfosecfoundation.org/
Source0:          https://www.openinfosecfoundation.org/download/suricata-%{version}.tar.gz
Source1:          https://www.openinfosecfoundation.org/download/suricata-%{version}.tar.gz.sig
Source2:          suricata.service
Source3:          suricata.sysconfig
Source4:          suricata.logrotate
Source5:          suricata-tmpfiles.conf
BuildRequires:  post-build-checks
BuildRequires:  rust
BuildRequires:  hiredis-devel
BuildRequires:  coccinelle
BuildRequires:  file-devel
BuildRequires:  libnet-devel
BuildRequires:  libpcap-devel
BuildRequires:  pkgconfig
BuildRequires:  python
BuildRequires:  systemd-rpm-macros
BuildRequires:  pkgconfig(geoip)
BuildRequires:  pkgconfig(hiredis)
BuildRequires:  pkgconfig(htp)
BuildRequires:  pkgconfig(jansson)
BuildRequires:  pkgconfig(libcap-ng)
BuildRequires:  pkgconfig(libnetfilter_log)
BuildRequires:  pkgconfig(libnetfilter_queue)
BuildRequires:  pkgconfig(libnfnetlink)
BuildRequires:  pkgconfig(libpcre)
BuildRequires:  pkgconfig(libprelude)
BuildRequires:  pkgconfig(lua)
BuildRequires:  pkgconfig(nspr)
BuildRequires:  pkgconfig(nss)
BuildRequires:  pkgconfig(yaml-0.1)
BuildRequires:  pkgconfig(zlib)
Requires(pre):  %fillup_prereq
Requires(pre):  /usr/sbin/useradd
Recommends:     jq
Recommends:     logrotate
%{?systemd_requires}
%if 0%{with hyperscan}
BuildRequires:  pkgconfig(libhs)
%endif

%description
The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

%prep
%setup -q
# Fix path in manpage
sed -i 's|%{_prefix}/local||g' doc/userguide/suricata.1

%build
%configure \
    --enable-gccmarch-native=no \
    --enable-nflog \
    --with-libnetfilter_log-includes=`pkg-config libnetfilter_log --variable=includedir` \
    --with-libnspr-includes=/usr/include/nspr4 \
    --with-libnss-includes=/usr/include/nss3 \
    --enable-nfqueue \
    --enable-prelude \
    --enable-rust \
    --enable-hiredis \
    --enable-gccprotect \
    --enable-old-barnyard2 \
    --enable-non-bundled-htp \
    --enable-geoip \
    --enable-lua \
    --enable-jansson \
%if 0%{with hyperscan}
    --enable-hyperscan \
%endif
    --enable-hiredis
make %{?_smp_mflags}

%install
%make_install
mkdir -p %{buildroot}%{_localstatedir}/log/suricata
mkdir -p %{buildroot}%{_localstatedir}/lib/suricata
mkdir -p %{buildroot}%{_sysconfdir}/suricata
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}/run

cp *.config %{buildroot}%{_sysconfdir}/suricata/
cp suricata.yaml %{buildroot}%{_sysconfdir}/suricata/
cp -R rules %{buildroot}%{_sysconfdir}/suricata/
cp -a disable.conf %{buildroot}%{_sysconfdir}/suricata/
cp -a drop.conf %{buildroot}%{_sysconfdir}/suricata/
cp -a enable.conf %{buildroot}%{_sysconfdir}/suricata/
cp -a modify.conf %{buildroot}%{_sysconfdir}/suricata/
cp -a update.yaml %{buildroot}%{_sysconfdir}/suricata/
rm -rf %{buildroot}/%{_datadir}/doc/suricata
rm -f %{buildroot}/%{python_sitelib}/suricata/sc/suricatasc.pyc
rm -f %{buildroot}/%{python_sitelib}/suricata/sc/__init__.pyc
chmod 755 %{buildroot}/%{python_sitelib}/suricata/sc/suricatasc.py
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.%{name}
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcsuricata

%pre
%service_add_pre %{name}.service
getent passwd suricata >/dev/null || useradd -r -M -s /sbin/nologin suricata

%post
%service_add_post %{name}.service
%fillup_only
mkdir -p %{_localstatedir}/log/suricata

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

%files
%license COPYING
%attr(644,root,root) %{_mandir}/man1/*
%doc doc/AUTHORS doc/Basic_Setup.txt doc/GITGUIDE doc/INSTALL.PF_RING doc/Setting_up_IPSinline_for_Linux.txt doc/Third_Party_Installation_Guides.txt doc/TODO
%config(noreplace)%{_sysconfdir}/suricata
%{_bindir}/suricata
%{_bindir}/suricatasc
%{_bindir}/suricatactl
%{_bindir}/suricata-update
%{_sbindir}/rcsuricata
%{python_sitelib}/suricata*
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/suricata.yaml
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/update.yaml
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/drop.conf
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/disable.conf
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/enable.conf
%config(noreplace) %attr(-,suricata,-) %{_sysconfdir}/%{name}/modify.conf
%attr(644,root,root) %{_unitdir}/suricata.service
%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/%{name}
%attr(750,suricata,root) %dir %{_var}/log/%{name}
%attr(750,suricata,root) %dir %{_sysconfdir}/%{name}
%attr(750,suricata,root) %dir %{_sysconfdir}/%{name}/rules
%attr(755,root,root) %dir %{_datadir}/%{name}/rules
%attr(644,root,root) %{_datadir}/%{name}/rules/*
%{_datadir}/suricata*
%ghost %{_localstatedir}/log/suricata
%{_mandir}/man1/suricata.1%{?ext_man}
%dir %{_localstatedir}/lib/suricata
%{_unitdir}/%{name}.service
%{_tmpfilesdir}/%{name}.conf

The tmpfilesdir file suricata-tmpfiles.conf doesn’t get installed.

The files I want to add from local directory are - update.yaml, disable.conf, drop.conf, enable.conf & modify.conf

In addition, the reproduced RPM is dumping Makefiles* in /etc/suricata/rules -

[Sun Jun 23 20:43:48 root@neon /usr/src/packages/SPECS] 
# ls /etc/suricata/rules/
app-layer-events.rules  dnp3-events.rules  files.rules        ipsec-events.rules     Makefile     Makefile.in          nfs-events.rules  smb-events.rules   stream-events.rules
decoder-events.rules    dns-events.rules   http-events.rules  kerberos-events.rules  Makefile.am  modbus-events.rules  ntp-events.rules  smtp-events.rules  tls-events.rules

Please let me know what needs to be done for removing those Makefiles.

arvidjaar · June 24, 2019, 9:41am

chigurh:

Name:           suricata
...
Source5:          suricata-tmpfiles.conf
...
%install
...
install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf

The tmpfilesdir file suricata-tmpfiles.conf doesn’t get installed.

It is installed under name suricata.conf

chigurh · July 25, 2019, 7:26am

Couldn’t find it there after rpm install. I gave up on making rpms with specs file and did old fashioned compile. There seems to be some problem with specs file, suricata upstream suggests ‘make install-full’, I don’t know how to add that to specs. I am not comfortable with specs file at the moment and can’t do much beyond minor fixing. During ‘rpmbuild’ process, somehow the Makefiles* for rules land in suricata/rules. Also the bundled suricata-update doesn’t get installed. The simplicity of old fashioned ./configure, make, etc is unmatched.