!113 move files about anchor and pem to separate package

From: @eaglegai 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai

tmpfiles-unbound.conf

@@ -1 +1 @@
-D /var/run/unbound 0755 unbound unbound -
+D /run/unbound 0755 unbound unbound -

unbound.conf

@@ -805,7 +805,7 @@ remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
 	# Note: required for unbound-munin package
-	control-enable: yes
+	control-enable: no
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.

unbound.service

@@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
 ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
-ExecReload=/usr/sbin/unbound-control reload
+ExecReload=+/bin/kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target

unbound.spec

@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.13.2
-Release:       7
+Release:       12
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -27,6 +27,7 @@ Patch2:        backport-CVE-2022-30698-and-CVE-2022-30699.patch
 Patch3:        backport-CVE-2022-3204.patch
 Patch4:        backport-Undefine-shift-in-sldns_str2wire_hip_buf.patch
 Patch5:        backport-Integer-overflow-in-sldns_wire2str_pkt_scan.patch
+Patch6:        backport-CVE-2023-50387_CVE-2023-50868.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@@ -34,6 +35,7 @@ BuildRequires: gcc
 
 %{?systemd_requires}
 Requires:      %{name}-libs = %{version}-%{release}
+Requires:      %{name}-anchor = %{version}-%{release}
 
 %description
 Unbound is a validating, recursive, caching DNS resolver. It is designed
@@ -51,6 +53,13 @@ Requires(pre): shadow-utils
 %description libs
 Libraries for %{name}.
 
+%package anchor
+Requires: %{name}-libs = %{version}-%{release}
+Summary: DNSSEC trust anchor maintaining tool
+
+%description anchor
+Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
+
 %package devel
 Summary:       Libraries and header files
 Requires:      %{name}-libs = %{version}-%{release} openssl-devel pkgconfig
@@ -88,7 +97,7 @@ popd
             --enable-relro-now --enable-pie \\\
             --enable-subnet --enable-ipsecmod \\\
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
+            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
             --enable-linux-ip-local-port-range
@@ -133,7 +142,7 @@ do
   echo ".so man3/libunbound.3" > $RPM_BUILD_ROOT%{_mandir}/man3/$mpage ;
 done
 
-install -d $RPM_BUILD_ROOT%{_localstatedir}/run/unbound
+install -d $RPM_BUILD_ROOT%{_rundir}/unbound
 
 install -d $RPM_BUILD_ROOT%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/keys.d/
@@ -152,10 +161,11 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
 
-%post libs
-%{?ldconfig}
-%systemd_post unbound-anchor.timer
+%post anchor
+%systemd_post unbound-anchor.service unbound-anchor.timer
+# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
+    # the Unit is in presets, but would be started after reboot
     /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
 fi
 
@@ -163,16 +173,15 @@ fi
 %systemd_preun unbound.service
 %systemd_preun unbound-keygen.service
 
-%preun libs
-%systemd_preun unbound-anchor.timer
+%preun anchor
+%systemd_preun unbound-anchor.service unbound-anchor.timer
 
 %postun
 %systemd_postun_with_restart unbound.service
 %systemd_postun unbound-keygen.service
 
-%postun libs
-%{?ldconfig}
-%systemd_postun_with_restart unbound-anchor.timer
+%postun anchor
+%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
 %triggerun -- unbound < 1.4.12-4
 /usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
@@ -190,6 +199,7 @@ popd
 %defattr(-,root,root)
 %doc doc/CREDITS doc/FEATURES doc/README doc/LICENSE
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
+%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
@@ -209,22 +219,14 @@ popd
 
 %files libs
 %defattr(-,root,root)
-%dir %attr(0755,root,root) %{_sysconfdir}/%{name}
 %if %{?openEuler:1}0
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
-%{_sysconfdir}/%{name}/icannbundle.pem
 %else
-%attr(0600,root,root) %config %{_sysconfdir}/%{name}/root.key
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0600,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
-%attr(0600,root,root) %{_sysconfdir}/%{name}/icannbundle.pem
 %endif
-%{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
-%{_unitdir}/unbound-anchor.timer
-%{_unitdir}/unbound-anchor.service
 
 %files -n python3-unbound
 %defattr(-,root,root)
@@ -237,11 +239,49 @@ popd
 %{_libdir}/pkgconfig/*.pc
 %{_includedir}/*
 
+%files anchor
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}
+%{_sbindir}/unbound-anchor
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%{_sysconfdir}/%{name}/icannbundle.pem
+%{_unitdir}/unbound-anchor.timer
+%{_unitdir}/unbound-anchor.service
+
 %files help
 %defattr(-,root,root)
 %{_mandir}/man*
 
 %changelog
+* Tue Jun 25 2024 gaihuiying <eaglegai@163.com> - 1.13.2-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:move files about anchor and pem to separate package
+
+* Tue Mar 05 2024 gaihuiying <eaglegai@163.com> - 1.13.2-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:change ExecReload to fix reload failure
+
+* Tue Feb 27 2024 gaihuiying <eaglegai@163.com> - 1.13.2-10
+- Type:cves
+- CVE:CVE-2024-1488
+- SUG:NA
+- DESC:fix CVE-2024-1488
+
+* Fri Feb 23 2024 gaihuiying <eaglegai@163.com> - 1.13.2-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2023-50387 CVE-2023-50868
+
+* Fri Mar 03 2023 gaihuiying <eaglegai@163.com> - 1.13.2-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:change run directory from /var/run to /run to fix "/usr/lib/tmpfiles.d/unbound.conf:1: xxxx"
+
 * Wed Feb 22 2023 gaihuiying <eaglegai@163.com> - 1.13.2-7
 - Type:bugfix
 - CVE:NA