2011-01-17 17:43:05 +01:00
#
2011-01-17 17:43:15 +01:00
# spec file for package apparmor
2011-01-17 17:43:05 +01:00
#
2023-01-04 12:51:42 +01:00
# Copyright (c) 2023 SUSE LLC
2022-01-26 19:03:22 +01:00
# Copyright (c) 2011-2022 Christian Boltz
2011-01-17 17:43:05 +01:00
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
2018-10-10 20:56:55 +02:00
# Please submit bugfixes or comments via https://bugs.opensuse.org/
2011-01-17 17:43:05 +01:00
#
2023-01-04 12:51:42 +01:00
%if 0%{?suse_version} >= 1550
2021-02-01 19:27:47 +01:00
%define sbindir %_sbindir
2023-01-04 12:51:42 +01:00
%define apparmor_bin_prefix /usr/lib/apparmor
2021-02-01 19:27:47 +01:00
%else
%define sbindir /sbin
2023-01-04 12:51:42 +01:00
%define apparmor_bin_prefix /lib/apparmor
2021-02-01 19:27:47 +01:00
%endif
2021-02-02 19:37:25 +01:00
%if 0%{?suse_version} <= 1500
# _pamdir isn't defined in 15.x
%define _pamdir /%{_lib}/security
%endif
2013-08-15 14:10:13 +02:00
# warning - confusing syntax ahead ;-)
# bcond_with means "disable"
# bcond_without means "enable"
2011-09-14 13:56:46 +02:00
%bcond_with tomcat
2011-01-17 17:43:05 +01:00
%bcond_without pam
2016-12-06 01:26:20 +01:00
%bcond_without apache
2014-09-07 21:10:23 +02:00
%bcond_without perl
2017-01-28 13:45:16 +01:00
%bcond_without python3
%bcond_without ruby
2022-11-22 22:07:29 +01:00
%if 0%{?suse_version} <= 1550
# enable precompiled profile cache on <= 15.x
2020-10-26 21:16:22 +01:00
%bcond_without precompiled_cache
2022-11-22 22:07:29 +01:00
%else
# don't build precompiled profile cache on Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
%bcond_with precompiled_cache
%endif
2011-01-17 17:43:05 +01:00
%define CATALINA_HOME /usr/share/tomcat6
2014-09-07 21:10:23 +02:00
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
#define JNI_SO libJNIChangeHat.so
2011-01-17 17:43:05 +01:00
%define JAR_FILE changeHatValve.jar
Name : apparmor
2023-05-31 19:47:43 +02:00
Version : 3.1.4
Accepting request 102458 from security:apparmor:factory
- Update to AppArmor 2.7.2 (= 2.7 branch / r1894)
- move various permissions from httpd2-prefork profile to
abstractions/apache2-common. Backward-incompatible change: *.htaccess
files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT
- allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5)
- allow various .conf files for dovecot (lp#458922)
- disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files
and abstractions/private-files-strict (lp#911847)
- update abstractions/kde, private-files* and ubuntu-browsers.d/user-files
to use ~/.kde4, not only ~/.kde (bnc#741592)
- block write access to ~/.kde{,4}/env in abstractions/private-files
(lp#914190)
- allow write access for personal dictionary etc. in abstractions/aspell
(lp#917859)
- when using genprof for a script, include read access to the script itsself
- automatically include abstractions/python or abstractions/ruby for
python/ruby scripts
- add profile for smbldap-useradd and allow smbd to call it (bnc#738041)
- allow creation of the .config directory in abstractions/enchant (lp#914184)
- allow TFTP read-only access in dnsmasq profile (lp#905412)
- allow capability dac_read_search for syslog-ng (bnc#731876)
- add p11-kit abstraction and include it in abstractions/authentification
(lp#912754, lp#912752)
- add audacity to abstractions/ubuntu-media-players (lp#899963)
- allow software-center, fireclam plugin, [tT]unar, exo-open, kate and
/dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831,
lp#890894, lp#890894, lp#884748)
- fix typo for multiarch gconf-modules in abstractions/base (lp#904548)
- allow avahi to do dbus introspection (lp#769148)
- allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992)
- allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062)
- allow reading ~/.cups/client.conf and ~/.cups/lpoptions in
abstractions/cups-client (lp#887992)
- allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in
abstractions/python (lp#860856)
- various updates to the sshd profile (lp#817956)
- (and some more changes I already included in the apparmor-2.7-branch.diff)
OBS-URL: https://build.opensuse.org/request/show/102458
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=32
2012-02-02 17:56:20 +01:00
Release : 0
2011-09-14 13:56:46 +02:00
Summary : AppArmor userlevel parser utility
2018-03-03 11:25:05 +01:00
License : GPL-2.0-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Networking/Security
2019-11-18 12:15:04 +01:00
URL : https://launchpad.net/apparmor
2011-09-14 13:56:46 +02:00
Source0 : apparmor-%{version} .tar.gz
2012-12-07 17:18:41 +01:00
Source1 : apparmor-%{version} .tar.gz.asc
Source2 : %{name} .keyring
2011-03-25 09:04:51 +01:00
2012-12-07 17:18:41 +01:00
Source5 : update-trans.sh
2013-02-17 16:48:15 +01:00
Source6 : baselibs.conf
2014-08-02 12:53:38 +02:00
Source7 : apparmor-rpmlintrc
2017-10-25 23:04:37 +02:00
2011-10-10 14:10:08 +02:00
# enable caching of profiles (= massive performance speedup when loading profiles)
2018-04-20 01:30:53 +02:00
# and set cache-loc in parser.conf and apparmor.service accordingly
2011-10-10 14:10:08 +02:00
Patch1 : apparmor-enable-profile-cache.diff
2022-07-25 23:54:59 +02:00
# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet
# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave)
2011-10-19 13:56:25 +02:00
Patch2 : apparmor-samba-include-permissions-for-shares.diff
2013-08-15 14:10:13 +02:00
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
2019-06-19 00:47:39 +02:00
Patch3 : ruby-2_0-mkmf-destdir.patch
2014-09-06 23:13:24 +02:00
2014-12-21 17:26:04 +01:00
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
2019-06-19 00:47:39 +02:00
Patch4 : apparmor-lessopen-profile.patch
2014-12-21 17:18:25 +01:00
2019-01-08 13:18:00 +01:00
# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
2019-06-19 00:47:39 +02:00
Patch5 : apparmor-lessopen-nfs-workaround.diff
2019-01-08 13:18:00 +01:00
2021-01-22 12:50:03 +01:00
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6 : apache-extra-profile-include-if-exists.diff
2022-04-29 14:11:04 +02:00
2023-06-07 00:05:43 +02:00
# fix aa-status --json / --pretty-json output (merged upstream 2023-06-06 for 3.0 and 3.1 branch [not needed/suiting for master] - https://gitlab.com/apparmor/apparmor/-/merge_requests/1046)
Patch10 : aa-status-fix-json-mr1046.patch
2011-01-17 17:43:05 +01:00
PreReq : sed
2011-09-14 13:56:46 +02:00
BuildRoot : %{_tmppath} /%{name} -%{version} -build
BuildRequires : bison
2017-01-28 13:45:16 +01:00
BuildRequires : dejagnu
2011-09-14 13:56:46 +02:00
BuildRequires : flex
2011-01-17 17:43:05 +01:00
BuildRequires : gcc-c++
2022-11-22 22:07:29 +01:00
BuildRequires : iproute2
2011-01-17 17:43:15 +01:00
BuildRequires : pcre-devel
2011-09-14 13:56:46 +02:00
BuildRequires : pkg-config
2019-11-18 12:15:04 +01:00
BuildRequires : python3
2016-08-27 00:07:45 +02:00
BuildRequires : perl(Locale::gettext)
2011-09-14 13:56:46 +02:00
2011-01-17 17:43:15 +01:00
BuildRequires : swig
2011-01-17 17:43:05 +01:00
2013-08-15 14:10:13 +02:00
%if %{with python3}
2022-07-19 21:39:21 +02:00
BuildRequires : python-rpm-macros
2013-08-15 14:10:13 +02:00
BuildRequires : python3-devel
2020-10-26 21:16:22 +01:00
BuildRequires : python3-notify2
BuildRequires : python3-psutil
2022-07-19 21:39:21 +02:00
BuildRequires : python3-setuptools
2013-08-15 14:10:13 +02:00
%endif
2011-01-17 17:43:05 +01:00
%if %{with ruby}
2011-09-14 13:56:46 +02:00
BuildRequires : ruby-devel
2011-01-17 17:43:05 +01:00
%endif
%if %{with apache}
2020-12-02 17:27:43 +01:00
BuildRequires : apache-rpm-macros
2011-01-17 17:43:15 +01:00
BuildRequires : apache2-devel
2011-01-17 17:43:05 +01:00
%endif
%if %{with tomcat}
2011-09-14 13:56:46 +02:00
BuildRequires : ant
BuildRequires : java-devel >= 1.6.0
BuildRequires : tomcat6
2011-01-17 17:43:05 +01:00
%endif
%package parser
Summary : AppArmor userlevel parser utility
2018-03-03 11:25:05 +01:00
License : GPL-2.0-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Networking/Security
2022-04-29 14:11:04 +02:00
Conflicts : apparmor-utils < 3.0
2017-01-28 13:45:16 +01:00
Obsoletes : libimnxcert < 2.9
Obsoletes : subdomain-leaf-cert < 2.9
Obsoletes : subdomain-parser < 2.9
Obsoletes : subdomain-parser-common < 2.9
Obsoletes : subdomain-parser-demo < 2.9
Obsoletes : subdomain_parser < 2.9
2012-04-17 07:43:31 +02:00
Provides : libimnxcert = %{version}
Provides : subdomain-leaf-cert = %{version}
2011-01-17 17:43:15 +01:00
Provides : subdomain-parser = %{version}
Provides : subdomain-parser-common = %{version}
2012-04-17 07:43:31 +02:00
Provides : subdomain-parser-demo = %{version}
Provides : subdomain_parser = %{version}
2011-02-03 22:31:16 +01:00
Provides : apparmor-parser(CAP_SYSLOG)
2015-06-16 00:42:34 +02:00
BuildRequires : systemd-rpm-macros
2021-04-27 19:07:13 +02:00
%{?systemd_ordering}
2015-06-16 00:42:34 +02:00
2011-01-17 17:43:05 +01:00
%description parser
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%package docs
2011-01-17 17:43:15 +01:00
Summary : AppArmor Documentation package
2018-03-03 11:25:05 +01:00
License : GPL-2.0-or-later
2011-01-17 17:43:15 +01:00
Group : Documentation/Other
2011-07-05 13:45:31 +02:00
BuildArch : noarch
2011-01-17 17:43:05 +01:00
%description docs
This package contains documentation for AppArmor.
This package is part of a suite of tools that used to be named
SubDomain.
%if %{with apache}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%package -n apache2-mod_apparmor
Summary : AppArmor module for apache2
2018-03-03 11:25:05 +01:00
License : GPL-2.0-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Security
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%description -n apache2-mod_apparmor
apache2-modapparmor adds support to apache2 to provide AppArmor
confinement to individual cgi scripts handled by apache modules like
mod_php and mod_perl.
This package is part of a suite of tools that used to be named
SubDomain.
The documentation is in the apparmor-admin_en package.
%endif
2014-09-07 21:10:23 +02:00
%if %{with perl}
2011-01-17 17:43:05 +01:00
%package -n perl-apparmor
2011-09-14 13:56:46 +02:00
Summary : Perl interface for libapparmor functions
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2011-09-14 13:56:46 +02:00
Group : Development/Libraries/Perl
2011-01-17 17:43:05 +01:00
Requires : libapparmor1 = %{version}
Requires : perl = %{perl_version}
2011-11-28 12:52:47 +01:00
Provides : perl-libapparmor = %{version}
2011-01-17 17:43:15 +01:00
Obsoletes : perl-libapparmor < 2.5
2011-01-17 17:43:05 +01:00
%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
2017-12-26 15:30:01 +01:00
applications interfacing with AppArmor.
2011-01-17 17:43:05 +01:00
2014-09-07 21:10:23 +02:00
%endif
2013-08-15 14:10:13 +02:00
%if %{with python3}
%package -n python3-apparmor
Summary : Python 3 interface for libapparmor functions
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2013-08-15 14:10:13 +02:00
Group : Development/Libraries/Python
Requires : libapparmor1 = %{version}
2021-06-07 21:32:55 +02:00
Requires : python3
2013-08-19 18:02:10 +02:00
Requires : python(abi) = %{py3_ver}
2013-08-15 14:10:13 +02:00
%description -n python3-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.
%endif
2011-01-17 17:43:05 +01:00
%if %{with ruby}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%package -n ruby-apparmor
2011-09-14 13:56:46 +02:00
Summary : Ruby interface for libapparmor functions
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2013-08-15 14:10:13 +02:00
Group : Development/Languages/Ruby
2011-01-17 17:43:05 +01:00
Requires : libapparmor1 = %{version}
2013-08-24 00:02:24 +02:00
Requires : ruby = %(rpm -q --qf '%%{version}' ruby)
2013-08-15 14:10:13 +02:00
Provides : ruby-libapparmor = %{version}
2011-01-17 17:43:15 +01:00
Obsoletes : ruby-libapparmor < 2.5
2011-01-17 17:43:05 +01:00
%description -n ruby-apparmor
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.
%endif
2014-10-05 18:17:38 +02:00
%package abstractions
Summary : AppArmor abstractions and directory structure
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2014-10-05 18:17:38 +02:00
Group : Productivity/Security
Requires : apparmor-parser(CAP_SYSLOG)
BuildArch : noarch
%description abstractions
2014-10-05 21:34:36 +02:00
AppArmor abstractions (common parts used in various profiles) and
2014-10-05 18:17:38 +02:00
the /etc/apparmor.d/ directory structure.
2014-10-05 21:34:36 +02:00
AppArmor is a file and network mandatory access control mechanism.
2014-10-05 18:17:38 +02:00
AppArmor confines processes to the resources allowed by the systems
administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
2011-01-17 17:43:05 +01:00
%package profiles
Summary : AppArmor profiles that are loaded into the apparmor kernel module
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Security
2014-10-05 18:17:38 +02:00
Requires : apparmor-abstractions >= %{version}
2011-09-14 13:56:46 +02:00
Requires : apparmor-parser(CAP_SYSLOG)
2017-01-28 13:45:16 +01:00
Obsoletes : subdomain-profiles < 2.9
2011-01-17 17:43:15 +01:00
Provides : subdomain-profiles = %{version}
2011-07-05 13:45:31 +02:00
BuildArch : noarch
2011-01-17 17:43:05 +01:00
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
mechanism. AppArmor confines processes to the resources allowed by the
systems administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package utils
Summary : AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Security
2022-04-29 14:11:04 +02:00
Requires : apparmor-parser
2011-01-17 17:43:15 +01:00
Requires : libapparmor1 = %{version}
2014-09-07 21:10:23 +02:00
Requires : python3-apparmor = %{version}
2021-06-07 21:32:55 +02:00
Requires : python3-base
2020-10-26 21:16:22 +01:00
Requires : python3-notify2
Requires : python3-psutil
2017-01-28 13:45:16 +01:00
# aa-unconfined needs ss
Recommends: iproute2
2011-01-17 17:43:15 +01:00
BuildArch : noarch
2011-01-17 17:43:05 +01:00
%description utils
This package provides the aa-logprof, aa-genprof, aa-autodep,
aa-enforce, and aa-complain tools to assist with profile authoring.
2015-07-22 18:38:30 +02:00
Besides it provides the aa-unconfined server information tool.
2011-10-10 14:10:08 +02:00
It is part of a suite of tools that used to be named SubDomain.
2011-01-17 17:43:05 +01:00
%if %{with tomcat}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%package -n tomcat_apparmor
Summary : Tomcat 6 plugin for AppArmor change_hat
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2011-01-17 17:43:05 +01:00
Group : System/Libraries
2011-09-14 13:56:46 +02:00
Requires : libapparmor1 = %{version}
Requires : tomcat6
2011-01-17 17:43:05 +01:00
%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
provides support for AppArmor change_hat for creating AppArmor
containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or " h a t s " , can be
created for individual URL processing or per servlet.
%endif
%if %{with pam}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%package -n pam_apparmor
2011-09-09 11:06:14 +02:00
Summary : PAM module for AppArmor change_hat
2018-03-03 11:25:05 +01:00
License : GPL-2.0-only AND LGPL-2.1-or-later
2011-01-17 17:43:05 +01:00
Group : Productivity/Security
2011-09-09 11:06:14 +02:00
BuildRequires : pam-devel
2011-09-14 13:56:46 +02:00
PreReq : pam
PreReq : pam-config
Requires : pam
Requires : pam-config
2011-01-17 17:43:05 +01:00
%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.
%endif
%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%prep
2012-05-08 22:39:34 +02:00
%setup -q
2020-10-26 21:16:22 +01:00
# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
2018-04-20 01:21:57 +02:00
%patch1
2013-11-26 00:58:28 +01:00
%patch2
2019-06-19 00:47:39 +02:00
%patch3 -p1
%patch4
%patch5
2022-07-25 23:54:59 +02:00
%patch6
2023-06-07 00:05:43 +02:00
%patch10 -p1
2020-07-20 20:53:52 +02:00
2011-01-17 17:43:05 +01:00
%build
export SUSE_ASNEEDED=0
2013-08-15 14:10:13 +02:00
2011-09-14 13:56:46 +02:00
# libapparmor:
(
cd ./libraries/libapparmor
2014-09-07 21:10:23 +02:00
%configure \
%if %{with perl}
--with-perl \
%endif
2020-10-26 21:16:22 +01:00
%if %{with python3}
2011-09-14 13:56:46 +02:00
--with-python \
2011-01-17 17:43:05 +01:00
%else
2011-09-14 13:56:46 +02:00
--without-python \
2011-01-17 17:43:05 +01:00
%endif
%if %{with ruby}
2011-09-14 13:56:46 +02:00
--with-ruby \
2011-01-17 17:43:05 +01:00
%else
2011-09-14 13:56:46 +02:00
--without-ruby \
2011-01-17 17:43:05 +01:00
%endif
2011-09-14 13:56:46 +02:00
make
)
# Utilities:
make -C utils
2017-01-28 13:45:16 +01:00
# binutils
make -C binutils
2011-09-14 13:56:46 +02:00
# parser:
2012-09-21 22:10:44 +02:00
make -C parser V=1
2011-09-14 13:56:46 +02:00
# Apache mod_apparmor:
%if %{with apache}
make -C changehat/mod_apparmor
2011-01-17 17:43:05 +01:00
%endif
2011-09-14 13:56:46 +02:00
# PAM AppArmor:
2011-01-17 17:43:05 +01:00
%if %{with pam}
2011-09-14 13:56:46 +02:00
make -C changehat/pam_apparmor
2011-01-17 17:43:05 +01:00
%endif
2011-09-14 13:56:46 +02:00
# Profiles:
make -C profiles
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
2011-01-17 17:43:05 +01:00
%endif
2018-04-20 01:21:57 +02:00
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
2020-10-26 21:16:22 +01:00
%if %{with precompiled_cache}
parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
2016-08-27 00:07:45 +02:00
%endif
2020-10-26 21:16:22 +01:00
%check
2016-08-27 00:07:45 +02:00
make check -C libraries/libapparmor
make check -C parser
2017-01-28 13:45:16 +01:00
make check -C binutils
2020-10-26 21:16:22 +01:00
# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check
2018-04-20 00:21:11 +02:00
make -C profiles check-parser
2017-01-28 13:45:16 +01:00
2018-04-20 01:21:57 +02:00
# test for a few files that should exist in the cache
2020-10-26 21:16:22 +01:00
%if %{with precompiled_cache}
2018-04-20 01:21:57 +02:00
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
2020-10-26 21:16:22 +01:00
%endif
2018-04-20 01:21:57 +02:00
2022-10-07 21:37:58 +02:00
# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
make check -o check_lint -C utils
2016-08-27 00:07:45 +02:00
2011-01-17 17:43:05 +01:00
%install
2017-01-30 23:53:15 +01:00
# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
%makeinstall -C libraries/libapparmor/swig
2011-01-17 17:43:05 +01:00
2011-09-14 13:56:46 +02:00
# utilities
2011-09-19 22:48:33 +02:00
%makeinstall -C utils
2014-09-07 21:10:23 +02:00
test ! -x %{buildroot} /%{_bindir} /aa-easyprof && chmod +x %{buildroot} /%{_bindir} /aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
2011-10-10 14:10:08 +02:00
mkdir -p %{buildroot} %{_localstatedir} /log/apparmor
2017-01-28 13:45:16 +01:00
# binutils
%makeinstall -C binutils
( cd %{buildroot} /%{_sbindir} && ln -s %{_bindir} /aa-exec exec )
2014-09-07 21:10:23 +02:00
2011-10-10 14:10:08 +02:00
%makeinstall -C profiles
2011-01-17 17:43:05 +01:00
2020-10-26 21:16:22 +01:00
%if %{with precompiled_cache}
2018-04-20 01:21:57 +02:00
install -d -m 755 %{buildroot} /usr/share/apparmor/cache
2020-10-26 21:16:22 +01:00
echo -e " \n \n * * * W A R N I N G : p r e c o m p i l i n g c a c h e i s k n o w n t o f a i l u n d e r ' o s c b u i l d ' - u s e ' o s c b u i l d - - v m - t y p e k v m ' i n s t e a d o r s k i p b u i l d i n g t h e p r e c o m p i l e d c a c h e w i t h ' o s c b u i l d - - w i t h o u t p r e c o m p i l e d _ c a c h e ' * * * \n \n "
2022-04-03 16:46:04 +02:00
# ensure cache files are newer than (text) profiles by sleeping a few seconds, and using cp -r which updates the timestamps
sleep 2
cp -r profiles/cache/* %{buildroot} /usr/share/apparmor/cache
2018-04-20 01:21:57 +02:00
test -f %{buildroot} /usr/share/apparmor/cache/*/.features
test -f %{buildroot} /usr/share/apparmor/cache/*/bin.ping
2020-10-26 21:16:22 +01:00
%endif
2018-04-20 01:21:57 +02:00
2021-02-01 19:27:47 +01:00
%makeinstall SBINDIR=" %{buildroot} %{sbindir} " APPARMOR_BIN_PREFIX=" %{buildroot} %{apparmor_bin_prefix} " -C parser
2018-04-20 01:21:57 +02:00
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
2017-01-24 15:23:09 +01:00
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot} %{_localstatedir} /lib/apparmor/cache
( cd %{buildroot} /%{_sysconfdir} /apparmor.d/ && ln -s ../../%{_localstatedir} /lib/apparmor/cache cache )
2018-04-20 01:21:57 +02:00
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot} %{_localstatedir} /cache/apparmor
( cd %{buildroot} /%{_sysconfdir} /apparmor.d/ && ln -s ../../%{_localstatedir} /cache/apparmor cache.d )
2011-01-17 17:43:05 +01:00
2011-09-14 13:56:46 +02:00
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
%endif
%if %{with pam}
2021-02-01 19:27:47 +01:00
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot} %{_pamdir}
2011-09-14 13:56:46 +02:00
%endif
%if %{with tomcat}
mkdir -p %{buildroot} /%{CATALINA_HOME}
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot} /%{CATALINA_HOME}
%endif
2017-01-28 13:45:16 +01:00
find %{buildroot} -name .packlist -exec rm -vf {} \;
find %{buildroot} -name perllocal.pod -exec rm -vf {} \;
2011-01-17 17:43:05 +01:00
2014-09-07 21:10:23 +02:00
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
2011-09-14 13:56:46 +02:00
for file in %{buildroot} %{_prefix} /{sbin,share/man/man[0-9]}/aa-*; do
2014-09-07 21:10:23 +02:00
d=$(dirname $file)
f=$(basename $file)
case " $ { f # a a - } " in
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
2017-01-28 13:45:16 +01:00
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
2014-09-07 21:10:23 +02:00
if [ " $ { f # a a - } " != " $ f " ]; then
ln -s $f $d/${f#aa-}
fi
;;
esac
2011-01-17 17:43:05 +01:00
done
2011-09-14 13:56:46 +02:00
mv -f %{buildroot} %{_mandir} /man8/{status.8,apparmor_status.8}
mv -f %{buildroot} %{_mandir} /man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot} %{_mandir} /man8/decode.8
2011-01-17 17:43:05 +01:00
2017-01-28 13:45:16 +01:00
for pkg in apparmor-utils apparmor-parser aa-binutils; do
2014-09-07 21:10:23 +02:00
%find_lang $pkg
2011-01-17 17:43:05 +01:00
done
2011-09-14 13:56:46 +02:00
# remove *.la files
2017-01-28 13:45:16 +01:00
rm -fv %{buildroot} %{_libdir} /libapparmor.la
2011-01-17 17:43:05 +01:00
%files docs
%defattr (-,root,root)
%doc parser/*.[1-9].html
2014-10-18 15:47:32 +02:00
%doc utils/vim/apparmor.vim.5.html
2011-01-17 17:43:05 +01:00
%doc common/apparmor.css
2017-01-28 13:45:16 +01:00
%doc parser/techdoc.pdf
2012-05-08 22:39:34 +02:00
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
2012-06-02 23:50:07 +02:00
%dir %{_datadir} /apparmor
%{_datadir} /apparmor/apparmor.vim
2011-01-17 17:43:05 +01:00
%files parser
%defattr (-,root,root)
2019-01-14 15:42:04 +01:00
%license parser/COPYING.GPL
%doc parser/README
2021-02-01 19:27:47 +01:00
%{sbindir} /apparmor_parser
2017-01-28 13:45:16 +01:00
%{_bindir} /aa-enabled
%{_bindir} /aa-exec
2020-10-26 21:16:22 +01:00
%{_bindir} /aa-features-abi
%{_sbindir} /aa-status
%{_sbindir} /apparmor_status
%{_sbindir} /status
2017-12-26 15:30:01 +01:00
%{_sbindir} /aa-teardown
2018-04-20 00:21:11 +02:00
%{_sbindir} /exec
2011-01-17 17:43:05 +01:00
%dir %attr (-, root, root) %{_sysconfdir} /apparmor
2011-10-10 14:10:08 +02:00
%dir %{_sysconfdir} /apparmor.d
2017-01-24 15:23:09 +01:00
%{_sysconfdir} /apparmor.d/cache
2018-04-20 01:21:57 +02:00
%{_sysconfdir} /apparmor.d/cache.d
2021-02-01 19:27:47 +01:00
%{sbindir} /rcapparmor
2015-04-12 23:08:34 +02:00
%{_unitdir} /apparmor.service
2011-10-10 14:10:08 +02:00
%config (noreplace) %{_sysconfdir} /apparmor/parser.conf
%{_localstatedir} /lib/apparmor
2018-04-20 01:21:57 +02:00
%{_localstatedir} /cache/apparmor
2011-01-17 17:43:05 +01:00
%dir %attr (-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix} /rc.apparmor.functions
2017-03-19 20:14:12 +01:00
%{apparmor_bin_prefix} /apparmor.systemd
2022-07-25 23:54:59 +02:00
%{apparmor_bin_prefix} /profile-load
2017-01-28 13:45:16 +01:00
%doc %{_mandir} /man1/aa-enabled.1.gz
%doc %{_mandir} /man1/aa-exec.1.gz
2020-10-26 21:16:22 +01:00
%doc %{_mandir} /man1/aa-features-abi.1.gz
2017-01-28 13:45:16 +01:00
%doc %{_mandir} /man1/exec.1.gz
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man5/apparmor.d.5.gz
%doc %{_mandir} /man5/apparmor.vim.5.gz
%doc %{_mandir} /man7/apparmor.7.gz
2020-10-26 21:16:22 +01:00
%doc %{_mandir} /man7/apparmor_xattrs.7.gz
%doc %{_mandir} /man8/aa-status.8.gz
2018-04-20 00:21:11 +02:00
%doc %{_mandir} /man8/aa-teardown.8.gz
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man8/apparmor_parser.8.gz
2020-10-26 21:16:22 +01:00
%doc %{_mandir} /man8/apparmor_status.8.gz
2011-01-17 17:43:05 +01:00
%pre parser
2015-04-12 23:08:34 +02:00
%service_add_pre apparmor.service
2011-01-17 17:43:05 +01:00
2017-01-28 13:45:16 +01:00
%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
%defattr (-,root,root)
2011-01-17 17:43:05 +01:00
2014-10-05 18:17:38 +02:00
%files abstractions
2011-09-14 13:56:46 +02:00
%defattr (644,root,root,755)
2012-09-26 22:23:10 +02:00
%dir %{_sysconfdir} /apparmor.d/
2020-10-26 21:16:22 +01:00
%dir %{_sysconfdir} /apparmor.d/abi
%config (noreplace) %{_sysconfdir} /apparmor.d/abi/3.0
%config (noreplace) %{_sysconfdir} /apparmor.d/abi/kernel-5.4-outoftree-network
%config (noreplace) %{_sysconfdir} /apparmor.d/abi/kernel-5.4-vanilla
2013-05-14 01:00:39 +02:00
%dir %{_sysconfdir} /apparmor.d/abstractions
%config (noreplace) %{_sysconfdir} /apparmor.d/abstractions/*
2013-05-14 01:04:07 +02:00
%dir %{_sysconfdir} /apparmor.d/disable
2014-10-05 18:17:38 +02:00
%dir %{_sysconfdir} /apparmor.d/local
%dir %{_sysconfdir} /apparmor.d/tunables
%config (noreplace) %{_sysconfdir} /apparmor.d/tunables/*
%files profiles
%defattr (644,root,root,755)
%dir %{_sysconfdir} /apparmor.d/apache2.d
2013-05-14 01:00:39 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/apache2.d/phpsysinfo
2013-08-15 14:10:13 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/bin.*
%config (noreplace) %{_sysconfdir} /apparmor.d/sbin.*
%config (noreplace) %{_sysconfdir} /apparmor.d/usr.*
2019-06-19 00:31:34 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/lsb_release
2018-12-21 15:30:43 +01:00
%config (noreplace) %{_sysconfdir} /apparmor.d/nvidia_modprobe
2020-10-26 21:16:22 +01:00
%config (noreplace) %{_sysconfdir} /apparmor.d/php-fpm
2021-10-15 23:38:52 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/samba-bgqd
2022-04-14 21:08:39 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/samba-dcerpcd
%config (noreplace) %{_sysconfdir} /apparmor.d/samba-rpcd
%config (noreplace) %{_sysconfdir} /apparmor.d/samba-rpcd-*
2022-04-10 15:52:36 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/zgrep
2013-05-14 01:00:39 +02:00
%config (noreplace) %{_sysconfdir} /apparmor.d/local/*
2018-04-20 01:21:57 +02:00
%dir /usr/share/apparmor/
2020-10-26 21:16:22 +01:00
%if %{with precompiled_cache}
2018-04-20 01:21:57 +02:00
/usr/share/apparmor/cache/
2020-10-26 21:16:22 +01:00
%endif
2014-09-07 21:10:23 +02:00
/usr/share/apparmor/extra-profiles/
2011-01-17 17:43:05 +01:00
%files utils
%defattr (-,root,root)
%dir %{_sysconfdir} /apparmor
2012-06-02 23:50:07 +02:00
%config (noreplace) %{_sysconfdir} /apparmor/easyprof.conf
2011-01-17 17:43:05 +01:00
%config (noreplace) %{_sysconfdir} /apparmor/logprof.conf
%config (noreplace) %{_sysconfdir} /apparmor/notify.conf
%config (noreplace) %{_sysconfdir} /apparmor/severity.db
2017-12-26 15:30:01 +01:00
%{_sbindir} /aa-audit
%{_sbindir} /aa-autodep
%{_sbindir} /aa-cleanprof
%{_sbindir} /aa-complain
%{_sbindir} /aa-decode
%{_sbindir} /aa-disable
%{_sbindir} /aa-enforce
%{_sbindir} /aa-genprof
%{_sbindir} /aa-logprof
%{_sbindir} /aa-mergeprof
%{_sbindir} /aa-notify
%{_sbindir} /aa-remove-unknown
%{_sbindir} /aa-unconfined
2014-09-07 21:10:23 +02:00
%{_sbindir} /audit
%{_sbindir} /autodep
%{_sbindir} /complain
%{_sbindir} /decode
%{_sbindir} /disable
%{_sbindir} /enforce
%{_sbindir} /genprof
%{_sbindir} /logprof
%{_sbindir} /notify
%{_sbindir} /unconfined
2012-06-02 23:50:07 +02:00
%{_bindir} /aa-easyprof
%dir %{_datadir} /apparmor
%{_datadir} /apparmor/easyprof/
2011-10-10 14:10:08 +02:00
%dir %{_localstatedir} /log/apparmor
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man5/logprof.conf.5.gz
%doc %{_mandir} /man8/apparmor_notify.8.gz
2017-12-26 15:30:01 +01:00
%doc %{_mandir} /man8/aa-audit.8.gz
%doc %{_mandir} /man8/aa-autodep.8.gz
%doc %{_mandir} /man8/aa-cleanprof.8.gz
%doc %{_mandir} /man8/aa-complain.8.gz
%doc %{_mandir} /man8/aa-decode.8.gz
%doc %{_mandir} /man8/aa-disable.8.gz
%doc %{_mandir} /man8/aa-easyprof.8.gz
%doc %{_mandir} /man8/aa-enforce.8.gz
%doc %{_mandir} /man8/aa-genprof.8.gz
%doc %{_mandir} /man8/aa-logprof.8.gz
%doc %{_mandir} /man8/aa-mergeprof.8.gz
%doc %{_mandir} /man8/aa-notify.8.gz
%doc %{_mandir} /man8/aa-remove-unknown.8.gz
%doc %{_mandir} /man8/aa-unconfined.8.gz
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man8/audit.8.gz
%doc %{_mandir} /man8/autodep.8.gz
%doc %{_mandir} /man8/complain.8.gz
2011-09-14 13:56:46 +02:00
%doc %{_mandir} /man8/disable.8.gz
2012-06-02 23:50:07 +02:00
%doc %{_mandir} /man8/easyprof.8.gz
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man8/enforce.8.gz
%doc %{_mandir} /man8/genprof.8.gz
%doc %{_mandir} /man8/logprof.8.gz
%doc %{_mandir} /man8/unconfined.8.gz
%doc utils/*.[0-9].html
%doc common/apparmor.css
%files utils-lang -f apparmor-utils.lang
2014-09-07 21:10:23 +02:00
%if %{with perl}
2011-01-17 17:43:05 +01:00
%files -n perl-apparmor
%defattr (-,root,root)
2011-09-14 13:56:46 +02:00
%{perl_vendorarch} /auto/LibAppArmor/
2011-01-17 17:43:05 +01:00
%{perl_vendorarch} /LibAppArmor.pm
2014-09-07 21:10:23 +02:00
%endif
2011-01-17 17:43:05 +01:00
2013-08-15 14:10:13 +02:00
%if %{with python3}
%files -n python3-apparmor
%defattr (-,root,root)
%{python3_sitearch} /LibAppArmor-%{version} -py*.egg-info
%dir %{python3_sitearch} /LibAppArmor
%dir %{python3_sitearch} /LibAppArmor/__pycache__
2013-08-19 18:02:10 +02:00
%{python3_sitearch} /LibAppArmor/_LibAppArmor.cpython-*.so
2013-08-15 14:10:13 +02:00
%{python3_sitearch} /LibAppArmor/__pycache__/__init__.cpython-*.pyc
2016-08-27 00:07:45 +02:00
%{python3_sitearch} /LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc
2013-08-15 14:10:13 +02:00
%{python3_sitearch} /LibAppArmor/__init__.py
2016-08-27 00:07:45 +02:00
%{python3_sitearch} /LibAppArmor/LibAppArmor.py
2014-09-07 21:10:23 +02:00
%{python3_sitelib} /apparmor/
%{python3_sitelib} /apparmor-%{version} -py*.egg-info
2011-01-17 17:43:05 +01:00
%endif
%if %{with ruby}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%files -n ruby-apparmor
%defattr (-,root,root)
2014-02-01 13:26:11 +01:00
%{rb_sitearchdir} /LibAppArmor.so
2011-01-17 17:43:05 +01:00
%endif
%if %{with pam}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%files -n pam_apparmor
%defattr (444,root,root,755)
2021-02-01 19:27:47 +01:00
%attr (555,root,root) %{_pamdir} /pam_apparmor.so
2011-01-17 17:43:05 +01:00
%endif
%if %{with tomcat}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%files -n tomcat_apparmor
%defattr (-,root,root)
%{CATALINA_HOME} /lib/%{JAR_FILE}
%{_libdir} /libJNI*
%doc %attr (0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
%endif
%if %{with apache}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%files -n apache2-mod_apparmor
%defattr (-,root,root)
2020-12-02 17:27:43 +01:00
%{apache_libexecdir} /mod_apparmor.so
2011-01-17 17:43:05 +01:00
%doc %{_mandir} /man8/mod_apparmor.8.gz
%endif
%post parser
2015-04-12 23:08:34 +02:00
%service_add_post apparmor.service
2011-01-17 17:43:05 +01:00
%preun parser
2015-04-12 23:08:34 +02:00
%service_del_preun apparmor.service
2011-01-17 17:43:05 +01:00
%postun parser
2015-04-17 21:38:20 +02:00
# don't call try-restart, see bnc#853019
2020-10-08 23:20:17 +02:00
%if 0%{?suse_version} <= 1500
export DISABLE_RESTART_ON_UPDATE=" y e s "
%service_del_postun apparmor.service
%else
2020-09-29 21:13:52 +02:00
%service_del_postun_without_restart apparmor.service
2020-10-08 23:20:17 +02:00
%endif
2015-04-12 23:08:34 +02:00
2022-04-03 16:46:04 +02:00
%posttrans abstractions
2018-04-20 01:21:57 +02:00
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
2017-07-18 21:59:57 +02:00
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
2014-10-05 18:17:38 +02:00
2022-04-03 16:46:04 +02:00
%posttrans profiles
2017-03-19 20:14:12 +01:00
# workaround for bnc#904620#c8 / lp#1392042
2018-04-20 01:21:57 +02:00
# old cache location up to 2.12
2017-03-19 20:14:12 +01:00
rm -f /var/lib/apparmor/cache/* 2>/dev/null
2018-04-20 01:21:57 +02:00
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
2017-07-18 21:59:57 +02:00
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
2014-01-02 14:01:50 +01:00
2011-01-17 17:43:05 +01:00
%if %{with tomcat}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%post -n tomcat_apparmor -p /sbin/ldconfig
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%postun -n tomcat_apparmor -p /sbin/ldconfig
%endif
%if %{with pam}
2011-01-17 17:43:15 +01:00
2011-01-17 17:43:05 +01:00
%post -n pam_apparmor
pam-config -a --apparmor
pam-config --update
%postun -n pam_apparmor
pam-config -d --apparmor
pam-config --update
%endif
%changelog