apparmor/apparmor.spec

#
# spec file for package apparmor
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


# warning - confusing syntax ahead ;-)
# bcond_with means "disable"
# bcond_without means "enable"
%bcond_with tomcat
%bcond_without pam
%bcond_without apache
%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
 # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch 
 %bcond_with python
 %bcond_with python3
 %bcond_with ruby
%else
%if 0%{?suse_version} == 1220
 # swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead
 %bcond_without python
 %bcond_with python3
 %bcond_without ruby
%else
 %bcond_with python
 %bcond_without python3
 %bcond_without ruby
%endif
%endif
%bcond_with gnome
%bcond_with dbus
%bcond_with editor

%define CATALINA_HOME /usr/share/tomcat6
%define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
%define JNI_SO libJNIChangeHat.so
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)

Name:           apparmor
%if ! %{?distro:1}0
%if %{?suse_version:1}0
  %define distro suse
%endif
%if %{?fedora_version:1}0
  %define distro redhat
%endif
%endif
%if ! %{?distro:1}0
  %define distro suse
%endif
Version:        2.8.2
Release:        0
Summary:        AppArmor userlevel parser utility
License:        GPL-2.0+
Group:          Productivity/Networking/Security
Source0:        apparmor-%{version}.tar.gz
Source1:        apparmor-%{version}.tar.gz.asc
Source2:        %{name}.keyring

Source3:        %{name}-profile-editor.png
Source4:        %{name}-profile-editor.desktop
Source5:        update-trans.sh
Source6:        baselibs.conf
Source7:        rpmlintrc

# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078)
Source10:       usr.sbin.winbindd

# profiles for dovecot 2.x (bnc#851984)
Source20:       usr.lib.dovecot.anvil
Source21:       usr.lib.dovecot.auth
Source22:       usr.lib.dovecot.config
Source23:       usr.lib.dovecot.dict
Source24:       usr.lib.dovecot.dovecot-lda
Source25:       usr.lib.dovecot.lmtp
Source26:       usr.lib.dovecot.log
Source27:       usr.lib.dovecot.managesieve
Source28:       usr.lib.dovecot.ssl-params
Source29:       tunables-dovecot

# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1:         apparmor-enable-profile-cache.diff

# include autogenerated profile sniplet for samba shares (bnc#688040)
Patch2:         apparmor-samba-include-permissions-for-shares.diff

# use grep instead of ~~ (smartmatch) because ~~ was marked as experimental again in perl 5.18 (upstream trunk r2158, 2.8 r2088)
Patch3:         apparmor-no-perl-smartmatch-r2088.diff

# abstractions/p11-kit and abstractions/dbus-session update (upstream trunk r2181 and r2182 , 2.8 r2089 and r2090)
Patch4:         apparmor-abstractions-r2089-r2090.diff

# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch5:         apparmor-utils-string-split

# make apparmor/__init__.py ready for the new tools developed in GSoC. Submitted upstream 2013-09-12
Patch6:         apparmor-init.py-gsoc.diff

# fix some (mis)translations in utils/po/de.po (upstream trunk r2186, 2.8 r2091)
Patch7:         apparmor-utils-po-de-r2091.diff

# fix ntpd after configuration change (commited upstream trunk r2188, 2.8 r2092)
Patch8:         apparmor-2.8.2-fix-ntpd-profile.diff

# fix URL in manpages (commited upstream trunk r2189, 2.8 r2093)
Patch9:         apparmor-fix-url-in-manpages-r2093.diff

# fix aa-unconfined to work with all languages (commited upstream trunk r2190, 2.8 r2094)
Patch10:        apparmor-unconfined-lang-r2094.diff

# various permissions needed for Samba 4.1 - bnc#845867 bnc#846054 - commited upstream trunk r2104, 2.8 branch r2254
Patch11:        apparmor-profiles-samba4.diff

# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
Patch12:        apparmor-2.5.1-edirectory-profile

# dnsmasq - add missing read permisions for libvirt files - bnc#848215 - committed upstream trunk r2238, 2.8 branch r2101
Patch13:        apparmor-profiles-dnsmasq.diff

# ntpd - add missing permissions for drift file at yet another location - bnc#850374 - commited upstream trunk r2252, 2.8 branch r2103
Patch14:        apparmor-profiles-ntpd-r2103.diff

# abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 - commited upstream trunk r2255, 2.8 branch r2105
Patch15:        apparmor-abstractions-ssl_certs.diff

# abstractions/samba - allow mkdir /var/run/samba and /var/cache/samba - bnc#856651 - commited upstream trunk r2293, 2.8 branch r2106
Patch16:        apparmor-profiles-samba-create-dirs.diff

# update dovecot profiles for dovecot 2.x (bnc#851984, not upstreamed yet)
Patch17:        apparmor-profiles-dovecot-bnc851984.diff

# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
Patch21:        apparmor-utils-subdomain-compat

# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch22:        ruby-2_0-mkmf-destdir.patch

# dnsmasq - allow to read config created by recent NetworkManager
Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch

Url:            https://launchpad.net/apparmor
PreReq:         sed
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
%if %{distro} == "suse"
PreReq:         %{insserv_prereq}
PreReq:         aaa_base
%endif
%define apparmor_bin_prefix /lib/apparmor
BuildRequires:  bison
BuildRequires:  flex
BuildRequires:  gcc-c++
BuildRequires:  latex2html
BuildRequires:  libtool
BuildRequires:  pcre-devel
BuildRequires:  pkg-config
BuildRequires:  python
%if 0%{?suse_version} > 1220
BuildRequires:  gpg-offline
BuildRequires:  texlive-amsfonts
BuildRequires:  texlive-cm-super
%endif
BuildRequires:  texlive-latex
BuildRequires:  w3m

BuildRequires:  swig

%if %{with python}
BuildRequires:  python-devel
BuildRequires:  swig
%endif

%if %{with python3}
BuildRequires:  python3-devel
BuildRequires:  swig
%endif

%if %{with ruby}
BuildRequires:  ruby-devel
BuildRequires:  swig
%endif

%if %{with apache}
BuildRequires:  apache2-devel
%endif

%if %{with tomcat}
BuildRequires:  ant
BuildRequires:  java-devel >= 1.6.0
BuildRequires:  tomcat6
%endif

%if %{with editor}
BuildRequires:  gcc-c++
BuildRequires:  update-desktop-files
BuildRequires:  wxGTK-devel
%endif

%if %{with gnome}
BuildRequires:  gnome-common
BuildRequires:  pkgconfig(dbus-1)
BuildRequires:  pkgconfig(gtk+-2.0)
BuildRequires:  pkgconfig(libgnome-2.0)
BuildRequires:  pkgconfig(libpanelapplet-2.0)
%endif

%if %{with dbus}
BuildRequires:  audit-devel
BuildRequires:  libapparmor-devel
BuildRequires:  pkg-config
BuildRequires:  pkgconfig(dbus-1)
%endif

%package parser
Summary:        AppArmor userlevel parser utility
License:        GPL-2.0+
Group:          Productivity/Networking/Security
Obsoletes:      libimnxcert < %{version}
Obsoletes:      subdomain-leaf-cert < %{version}
Obsoletes:      subdomain-parser < %{version}
Obsoletes:      subdomain-parser-common < %{version}
Obsoletes:      subdomain-parser-demo < %{version}
Obsoletes:      subdomain_parser < %{version}
Provides:       libimnxcert = %{version}
Provides:       subdomain-leaf-cert = %{version}
Provides:       subdomain-parser = %{version}
Provides:       subdomain-parser-common = %{version}
Provides:       subdomain-parser-demo = %{version}
Provides:       subdomain_parser = %{version}
Provides:       apparmor-parser(CAP_SYSLOG)

# initscript needs /lib/lsb/init-functions from insserv/insserv-compat
Requires:       insserv

%description parser
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.

This package is part of a suite of tools that used to be named
SubDomain.

%package docs
Summary:        AppArmor Documentation package
License:        GPL-2.0+
Group:          Documentation/Other
BuildArch:      noarch

%description docs
This package contains documentation for AppArmor.

This package is part of a suite of tools that used to be named
SubDomain.

%if %{with apache}

%package -n apache2-mod_apparmor
Summary:        AppArmor module for apache2
License:        GPL-2.0+
Group:          Productivity/Security

%description -n apache2-mod_apparmor
apache2-modapparmor adds support to apache2 to provide AppArmor
confinement to individual cgi scripts handled by apache modules like
mod_php and mod_perl.

This package is part of a suite of tools that used to be named
SubDomain.

The documentation is in the apparmor-admin_en package.

%endif

%package -n libapparmor1
Summary:        Utility library for AppArmor
License:        LGPL-2.1+
Group:          Development/Libraries/C and C++
%ifarch ppc64
Obsoletes:      libapparmor-64bit < %{version}
Provides:       libapparmor-64bit = %{version}
%endif
Provides:       libapparmor = %{version}
Provides:       libimmunix = %{version}
Obsoletes:      libapparmor < %{version}
Obsoletes:      libimmunix < %{version}

%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.

%package -n libapparmor-devel
Summary:        Development headers and libraries for libapparmor
License:        LGPL-2.1+
Group:          Development/Libraries/C and C++
Requires:       libapparmor1 = %{version}
Provides:       libapparmor:/usr/include/sys/apparmor.h

%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.

%package -n perl-apparmor
Summary:        Perl interface for libapparmor functions
License:        GPL-2.0 and LGPL-2.1+
Group:          Development/Libraries/Perl
Requires:       libapparmor1 = %{version}
Requires:       perl = %{perl_version}
Requires:       perl(DBD::SQLite)
Requires:       perl(Locale::gettext)
Requires:       perl(RPC::XML)
Requires:       perl(RPC::XML)
Requires:       perl(Term::ReadKey)
Requires:       perl(Term::ReadKey)
Provides:       perl-libapparmor = %{version}
Obsoletes:      perl-libapparmor < 2.5

%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utilities.

%if %{with python}

%package -n python-apparmor
Summary:        Python 2 interface for libapparmor functions
License:        GPL-2.0 and LGPL-2.1+
Group:          Development/Libraries/Python
BuildRequires:  python
Requires:       libapparmor1 = %{version}
Requires:       python = %{python_version}
Provides:       python-libapparmor = %{version}
Obsoletes:      python-libapparmor < 2.5

%description -n python-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.

%endif

%if %{with python3}

%package -n python3-apparmor
Summary:        Python 3 interface for libapparmor functions
License:        GPL-2.0 and LGPL-2.1+
Group:          Development/Libraries/Python
Requires:       libapparmor1 = %{version}
Requires:       python(abi) = %{py3_ver}
Provides:       python-libapparmor = %{version}

%description -n python3-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.

%endif

%if %{with ruby}

%package -n ruby-apparmor
Summary:        Ruby interface for libapparmor functions
License:        GPL-2.0 and LGPL-2.1+
Group:          Development/Languages/Ruby
Requires:       libapparmor1 = %{version}
Requires:       ruby = %(rpm -q --qf '%%{version}' ruby)
Provides:       ruby-libapparmor = %{version}
Obsoletes:      ruby-libapparmor < 2.5

%description -n ruby-apparmor
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.

%endif

%package profiles
Summary:        AppArmor profiles that are loaded into the apparmor kernel module
License:        GPL-2.0 and LGPL-2.1+
Group:          Productivity/Security
Requires:       apparmor-parser(CAP_SYSLOG)
Obsoletes:      subdomain-profiles < %{version}
Provides:       subdomain-profiles = %{version}
BuildArch:      noarch

%description profiles
Base profiles. AppArmor is a file and network mandatory access control
mechanism. AppArmor confines processes to the resources allowed by the
systems administrator and can constrain the scope of potential security
vulnerabilities.

This package is part of a suite of tools that used to be named
SubDomain.

%package utils
Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
License:        GPL-2.0 and LGPL-2.1+
Group:          Productivity/Security
Requires:       libapparmor1 = %{version}
Requires:       perl = %{perl_version}
Requires:       perl-apparmor = %{version}
BuildArch:      noarch

%description utils
This package provides the aa-logprof, aa-genprof, aa-autodep,
aa-enforce, and aa-complain tools to assist with profile authoring.
Besides it provides the aa-unconfined server information tool. 
It is part of a suite of tools that used to be named SubDomain.

%if %{with tomcat}

%package -n tomcat_apparmor
Summary:        Tomcat 6 plugin for AppArmor change_hat
License:        GPL-2.0 and LGPL-2.1+
Group:          System/Libraries
Requires:       libapparmor1 = %{version}
Requires:       tomcat6

%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
provides support for AppArmor change_hat for creating AppArmor
containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or "hats", can be
created for individual URL processing or per servlet.

%endif

%if %{with pam}

%package -n pam_apparmor
Summary:        PAM module for AppArmor change_hat
License:        GPL-2.0 and LGPL-2.1+
Group:          Productivity/Security
BuildRequires:  pam-devel
PreReq:         pam
PreReq:         pam-config
Requires:       pam
Requires:       pam-config

%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.

%endif

%if %{with dbus}

%package dbus
Summary:        Audit dispatcher for sending AppArmor events over DBUS
License:        GPL-2.0 and LGPL-2.1+
Group:          System/Monitoring

%description dbus
An audit dispatcher for sending AppArmor events over the DBUS system
bus.

%endif

%if %{with editor}

%package profile-editor
Summary:        AppArmor profile editor
License:        GPL-2.0 and LGPL-2.1+
Group:          Productivity/Editors/Other

%description profile-editor
A syntax highlighting editor for AppArmor profiles.

%endif

%if %{with gnome}

%package -n apparmorapplet-gnome
Summary:        An AppArmor event notification applet for GNOME
License:        GPL-2.0 and LGPL-2.1+
Group:          System/GUI/GNOME

%description -n apparmorapplet-gnome
This taskbar applet receives AppArmor events over DBUS, and notifies
the user when AppArmor prevents an application from functioning.

%endif

%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.

This package is part of a suite of tools that used to be named
SubDomain.

%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
%if %{with gnome}
%lang_package -n apparmorapplet-gnome
%endif

%prep
%{?gpg_verify:  %gpg_verify %{S:1}  }
%setup -q
%patch1 -p1
%patch2
%patch3
%patch4
%patch5 -p1
%patch6
%patch7
%patch8
%patch9
%patch10
%patch11
%patch12 -p1
%patch13
%patch14
%patch15
%patch16
%patch17

# only create Immunix::SubDomain perl module for openSUSE <= 12.1 
%if 0%{?suse_version}
%if 0%{?suse_version} <= 1210
%patch21 -p1
%endif
%endif

# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%if 0%{?suse_version} > 1230
%patch22 -p1
%endif

# affected NM is shipped since openSUSE >= 13.1
%if 0%{?suse_version} > 1310
%patch23
%endif

# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078)
test ! -e profiles/apparmor.d/usr.sbin.winbindd
cp %{SOURCE10} profiles/apparmor.d/

# profiles for dovecot 2.x (bnc#851984)
test ! -e profiles/apparmor.d/tunables/dovecot
cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/
cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot

%build
echo _libdir: %{_libdir}  ruby: %{rb_sitearch}  python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1

export SUSE_ASNEEDED=0
# re-define _libdir to /lib or /lib64
%define _libdir /%{_lib}

echo new _libdir: %{_libdir}  ruby: %{rb_sitearch}  python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1

%if %{with python3}
export PYTHON=/usr/bin/python3
%endif

# libapparmor:
(
  cd ./libraries/libapparmor
  sh ./autogen.sh
  %configure --with-perl \
%if %{with python}%{with python3}
  --with-python \
%else
  --without-python \
%endif
%if %{with ruby}
  --with-ruby \
%else
  --without-ruby \
%endif

  make
  #make check
)

# Utilities:
make -C utils
# make -C utils check

# parser:
make -C parser V=1
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
make -C parser V=1 techdoc.txt
# make -C parser check

# Apache mod_apparmor:
%if %{with apache}
  make -C changehat/mod_apparmor
%endif

# PAM AppArmor:
%if %{with pam}
  make -C changehat/pam_apparmor
%endif

# Profiles:
make -C profiles
# make -C profiles check

##configure --disable-static --with-pic \
#--with-perl \
%if %{with tomcat}
  make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
%if %{with gnome}
#--with-gnome \
%endif
%if %{with dbus}
#--with-dbus \
%endif
%if %{with editor}
#--with-profileeditor \
%endif

%install
# libapparmor
# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )

# utilities
%makeinstall -C utils
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor

%makeinstall -C profiles

%makeinstall -C parser
# default cache dir is /etc/apparmor.d/cache - not the best location. 
# Use /var/cache/apparmor and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache )

%if %{with apache}
  %makeinstall -C changehat/mod_apparmor
%endif

%if %{with pam}
  %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
%endif

%if %{with tomcat}
  mkdir -p %{buildroot}/%{CATALINA_HOME}
  %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
%endif

find %{buildroot} -name .packlist -exec rm -f {} \;
find %{buildroot} -name perllocal.pod -exec rm -f {} \;

# Re-create the links to the old names
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
	d=$(dirname $file)
	f=$(basename $file)
	if [ "${f#aa-}" != "$f" ]; then
		ln -s $f $d/${f#aa-}
	fi
done

mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8

%if %{with editor}
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
%endif

%if %{with gnome}
%find_lang apparmorapplet-gnome
%endif

for pkg in apparmor-utils apparmor-parser; do
	%find_lang $pkg
done

# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la

echo -------------------------------------------------------------------
#find -ls
echo -------------------------------------------------------------------
#find %{buildroot} -ls
echo -------------------------------------------------------------------

%files docs
%defattr(-,root,root)
%doc parser/*.[1-9].html
%doc common/apparmor.css
%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/apparmor.vim

%files parser
%defattr(-,root,root)
%doc parser/README parser/COPYING.GPL
/sbin/apparmor_parser
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
%dir %{_localstatedir}/cache/apparmor
%if %{distro} == "suse"
  /sbin/rcsubdomain
  /sbin/rcapparmor
  %{_sysconfdir}/init.d/boot.apparmor
%else
  %{_sysconfdir}/init.d/apparmor
%endif
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%doc %{_mandir}/man5/apparmor.d.5.gz
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%if %{distro} == "redhat" || %{distro} == "rhel4"

%pre parser
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
  chkconfig --del subdomain
fi
%endif

%files parser-lang -f apparmor-parser.lang

%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%{_libdir}/libimmunix.so.*

%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.a
%{_libdir}/libimmunix.a
%{_libdir}/libapparmor.so
%{_libdir}/libimmunix.so
/usr/%{_lib}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/*

# hrm, still need to enumerate each directory in these paths in files :(
# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
# %define profiles_dir %{_sysconfdir}/apparmor.d/

%files profiles
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor.d/abstractions
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
%dir %{_sysconfdir}/apparmor.d/apache2.d
%dir %{_sysconfdir}/apparmor.d/disable
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
%config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%dir %{_sysconfdir}/apparmor.d/local
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir %{_sysconfdir}/apparmor.d/program-chunks
%config(noreplace) %{_sysconfdir}/apparmor.d/program-chunks/*
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles
%config %{_sysconfdir}/apparmor/profiles/extras/

%files utils
%defattr(-,root,root)
%dir %{_sysconfdir}/apparmor
%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%{_sbindir}/*
%{_bindir}/aa-easyprof
# easyprof python modules are installed into py2 directories
#{python3_sitelib}/apparmor-%{version}-py%{py3_ver}.egg-info
#{python3_sitelib}/apparmor/
%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info
%{python_sitelib}/apparmor/
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/easyprof/
%dir %{_localstatedir}/log/apparmor
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-*.gz
%doc %{_mandir}/man8/apparmor_status.8.gz
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
%doc %{_mandir}/man8/complain.8.gz
%doc %{_mandir}/man8/disable.8.gz
%doc %{_mandir}/man8/easyprof.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/exec.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
%doc %{_mandir}/man8/unconfined.8.gz
%doc utils/*.[0-9].html
%doc common/apparmor.css

%files utils-lang -f apparmor-utils.lang

%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorlib}/Immunix
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm

%if %{with python}

%files -n python-apparmor
%defattr(-,root,root)

%files -n python-apparmor
%{python_sitearch}/LibAppArmor-%{version}-py%{python_version}.egg-info
%dir %{python_sitearch}/LibAppArmor
%{python_sitearch}/LibAppArmor/_LibAppArmor.so
%{python_sitearch}/LibAppArmor/__init__.py
%{python_sitearch}/LibAppArmor/__init__.pyc

%endif

%if %{with python3}

%files -n python3-apparmor
%defattr(-,root,root)
%{python3_sitearch}/LibAppArmor-%{version}-py*.egg-info
%dir %{python3_sitearch}/LibAppArmor
%dir %{python3_sitearch}/LibAppArmor/__pycache__
%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so
%{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__init__.py

%endif

%if %{with ruby}

%files -n ruby-apparmor
%defattr(-,root,root)
%{rb_sitearch}/LibAppArmor.so
%endif

%if %{with pam}

%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
%endif

%if %{with tomcat}

%files -n tomcat_apparmor
%defattr(-,root,root)
%{CATALINA_HOME}/lib/%{JAR_FILE}
%{_libdir}/libJNI*
%doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
%endif

%if %{with apache}

%files -n apache2-mod_apparmor
%defattr(-,root,root)
%{apache_module_path}/mod_apparmor.so
%doc %{_mandir}/man8/mod_apparmor.8.gz
%endif

%if %{with dbus}

%files dbus
%defattr(0750, root, root)
%{_bindir}/apparmor-dbus
%endif

%if %{with editor}

%files profile-editor
%defattr(-, root, root)
%{_datadir}/applications/%{name}-profile-editor.desktop
%{_datadir}/pixmaps/%{name}-profile-editor.png
%{_bindir}/profileeditor
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
%if 0
%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb
%endif
%dir %{_datadir}/doc/profileeditor
%endif

%if %{with gnome}

%files -n apparmorapplet-gnome
%defattr(-, root, root)
%{_libdir}/bonobo/servers/*.server
%{_prefix}/lib/apparmorapplet
%{_datadir}/pixmaps/*

%files -n apparmorapplet-gnome-lang -f apparmorapplet-gnome.lang
%endif

%post parser
%if %{distro} == "suse"
  # SUSE uses insserv
  # For package renaming from subdomain -> apparmor
  # we check the existence of the AppArmor 1.1 and
  # AppArmor 1.2 based init script to help determine
  # whether  we are upgrading
  SUBDOMAIN_PARSER_INSTALLED="no"
  if test -e %{_sysconfdir}/init.d/boot.subdomain -o -e %{_sysconfdir}/init.d/subdomain; then
    SUBDOMAIN_PARSER_INSTALLED="yes"
  fi
  if  test "$1" == 1  -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then
    %{insserv_force_if_yast boot.apparmor}
  elif test -e %{_sysconfdir}/rc.d/boot.d/S??boot.subdomain  -o \
            -e %{_sysconfdir}/rc.d/boot.d/S??boot.apparmor  -o \
            -e %{_sysconfdir}/rc.d/rc3.d/S??subdomain ; then
    %{insserv_force_if_yast boot.apparmor}
  else
    %{fillup_and_insserv -f boot.apparmor}
  fi
%endif
%if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --add apparmor
%endif
%if %{distro} == "slackware"
  if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.M ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --init
  fi
  if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.K ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown
  fi
%endif

%preun parser
if [ "$1" = 0 ] ; then
%if %{distro} == "suse"
  %{stop_on_removal boot.apparmor}
%endif
%if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --del apparmor
%endif
fi

%postun parser
%if %{distro} == "suse"
  #restart_on_update boot.apparmor - but non-broken (bnc#853019)
  test -n "$FIRST_ARG" || FIRST_ARG=$1
  if test "$FIRST_ARG" -ge 1 ; then
    if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
      test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
      /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
    fi
  fi

  %{insserv_cleanup} || true
%endif

%post profiles
%if %{distro} == "suse"
  #restart_on_update boot.apparmor - but non-broken (bnc#853019)
  # (copy&paste from parser postun script)
  test -n "$FIRST_ARG" || FIRST_ARG=$1
  if test "$FIRST_ARG" -ge 1 ; then
    if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
      test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
      /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
    fi
  fi
%endif

%post -n libapparmor1 -p /sbin/ldconfig

%postun -n libapparmor1 -p /sbin/ldconfig

%if %{with tomcat}

%post -n tomcat_apparmor -p /sbin/ldconfig

%postun -n tomcat_apparmor -p /sbin/ldconfig
%endif

%if %{with pam}

%post -n pam_apparmor
pam-config -a --apparmor
pam-config --update

%postun -n pam_apparmor
pam-config -d --apparmor
pam-config --update
%endif

%changelog