From f7c45c5e5a4e006d769ef4305d663489d126da739efddad037ea0691e2e71c01 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 5 Oct 2014 16:17:38 +0000 Subject: [PATCH 1/2] Accepting request 254032 from home:cboltz - split apparmor-profiles package into -profiles and -abstractions OBS-URL: https://build.opensuse.org/request/show/254032 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=99 --- apparmor.changes | 5 +++++ apparmor.spec | 47 +++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index e904190..331fbaa 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Sep 28 19:25:32 UTC 2014 - opensuse@cboltz.de + +- split apparmor-profiles package into -profiles and -abstractions + ------------------------------------------------------------------- Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 09c3363..50ce296 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -304,10 +304,30 @@ applications interfacing with AppArmor. %endif +%package abstractions +Summary: AppArmor abstractions and directory structure +License: GPL-2.0 and LGPL-2.1+ +Group: Productivity/Security +Requires: apparmor-parser(CAP_SYSLOG) +BuildArch: noarch + +%description abstractions +AppArmor abstractions (common parts used in various profiles) and +the /etc/apparmor.d/ directory structure. + +AppArmor is a file and network mandatory access control mechanism. +AppArmor confines processes to the resources allowed by the systems +administrator and can constrain the scope of potential security +vulnerabilities. + +This package is part of a suite of tools that used to be named +SubDomain. + %package profiles Summary: AppArmor profiles that are loaded into the apparmor kernel module License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security +Requires: apparmor-abstractions >= %{version} Requires: apparmor-parser(CAP_SYSLOG) Obsoletes: subdomain-profiles < %{version} Provides: subdomain-profiles = %{version} @@ -628,22 +648,24 @@ fi %{_includedir}/sys/apparmor.h %{_includedir}/aalogparse/* -%files profiles +%files abstractions %defattr(644,root,root,755) %dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor.d/abstractions %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/* -%dir %{_sysconfdir}/apparmor.d/apache2.d %dir %{_sysconfdir}/apparmor.d/disable +%dir %{_sysconfdir}/apparmor.d/local +%dir %{_sysconfdir}/apparmor.d/tunables +%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* + +%files profiles +%defattr(644,root,root,755) +%dir %{_sysconfdir}/apparmor.d/apache2.d %config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo %config(noreplace) %{_sysconfdir}/apparmor.d/bin.* %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* -%dir %{_sysconfdir}/apparmor.d/local %config(noreplace) %{_sysconfdir}/apparmor.d/local/* -%dir %{_sysconfdir}/apparmor.d/tunables -%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* -%dir %{_sysconfdir}/apparmor/ /usr/share/apparmor/extra-profiles/ %files utils @@ -814,6 +836,19 @@ fi %{insserv_cleanup} || true %endif +%post abstractions +%if %{distro} == "suse" + #restart_on_update boot.apparmor - but non-broken (bnc#853019) + # (copy&paste from parser postun script) + test -n "$FIRST_ARG" || FIRST_ARG=$1 + if test "$FIRST_ARG" -ge 1 ; then + if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then + test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || : + fi + fi +%endif + %post profiles %if %{distro} == "suse" #restart_on_update boot.apparmor - but non-broken (bnc#853019) From 6915e079e5d134a49af27d016f8403cb8572099f52729a073e265477ac5598e1 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 5 Oct 2014 19:34:36 +0000 Subject: [PATCH 2/2] Accepting request 254059 from home:cboltz - update to AppArmor 2.8.97 (aka 2.9 beta3 aka r2721) - several bugfixes in python and C tools - rename "__unused" to "unused" in apparmor_parser to fix compilation on openSUSE <= 13.1 x86_64 (bnc#895495) - usr.lib.dovecot.auth profile: allow access to auth-token-secret.dat - various small profile improvements - update and add several testcases - drop upstreamed patch apparmor-profiles-dnsmasq-iface-mtu.patch - re-number remaining patches OBS-URL: https://build.opensuse.org/request/show/254059 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=100 --- apparmor-2.8.96.tar.gz | 3 --- apparmor-2.8.96.tar.gz.asc | 7 ------ apparmor-2.8.97.tar.gz | 3 +++ apparmor-2.8.97.tar.gz.asc | 7 ++++++ apparmor-profiles-dnsmasq-iface-mtu.patch | 30 ----------------------- apparmor.changes | 13 ++++++++++ apparmor.spec | 23 +++++++---------- 7 files changed, 32 insertions(+), 54 deletions(-) delete mode 100644 apparmor-2.8.96.tar.gz delete mode 100644 apparmor-2.8.96.tar.gz.asc create mode 100644 apparmor-2.8.97.tar.gz create mode 100644 apparmor-2.8.97.tar.gz.asc delete mode 100644 apparmor-profiles-dnsmasq-iface-mtu.patch diff --git a/apparmor-2.8.96.tar.gz b/apparmor-2.8.96.tar.gz deleted file mode 100644 index a3f0a32..0000000 --- a/apparmor-2.8.96.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5950255fc0a6989a5123a46ec58ba0a7ef03eb0d28731e38aae55d0cd10ed0a1 -size 2332645 diff --git a/apparmor-2.8.96.tar.gz.asc b/apparmor-2.8.96.tar.gz.asc deleted file mode 100644 index 6d7bc28..0000000 --- a/apparmor-2.8.96.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlQI2pMACgkQgTeYuayTEnEALACgtB68bFa+u0F1KBSarph9lfB7 -0V8AnRVmXpaq+dzhKmcspVoR+bzYn4GM -=VwGt ------END PGP SIGNATURE----- diff --git a/apparmor-2.8.97.tar.gz b/apparmor-2.8.97.tar.gz new file mode 100644 index 0000000..f247368 --- /dev/null +++ b/apparmor-2.8.97.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:170a6495dd48246df1c042aa562fb759b287331ceed62c67961c81dc7ce6cba4 +size 2360991 diff --git a/apparmor-2.8.97.tar.gz.asc b/apparmor-2.8.97.tar.gz.asc new file mode 100644 index 0000000..f9ca304 --- /dev/null +++ b/apparmor-2.8.97.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlQuRy8ACgkQgTeYuayTEnFnyACgyxwM2udlu+OnuaZwyMo0vsNZ +YacAn0lEU5qGxRHoSQv/h7Uo7c9qhhtg +=Bo0m +-----END PGP SIGNATURE----- diff --git a/apparmor-profiles-dnsmasq-iface-mtu.patch b/apparmor-profiles-dnsmasq-iface-mtu.patch deleted file mode 100644 index 183472f..0000000 --- a/apparmor-profiles-dnsmasq-iface-mtu.patch +++ /dev/null @@ -1,30 +0,0 @@ -Allow dnsmasq read access to IPv6 config - -The IPv6 Neighbor Discovery protocol (RFC 2461) suggests -implementations provide MTU in Router Advertisement (RA) -messages. From section 4.2 - -MTU SHOULD be sent on links that have a variable MTU - (as specified in the document that describes how to - run IP over the particular link type). MAY be sent - on other links. - -dnsmasq supports this option and should have read access -to an interface's MTU. - - -Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq -=================================================================== ---- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq -+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -44,6 +44,10 @@ - - /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - -+ # access to iface mtu needed for Router Advertisement messages in IPv6 -+ # Neighbor Discovery protocol (RFC 2461) -+ @{PROC}/sys/net/ipv6/conf/*/mtu r, -+ - # for the read-only TFTP server - @{TFTP_DIR}/ r, - @{TFTP_DIR}/** r, diff --git a/apparmor.changes b/apparmor.changes index 331fbaa..ced49d9 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sun Oct 5 18:53:43 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.8.97 (aka 2.9 beta3 aka r2721) + - several bugfixes in python and C tools + - rename "__unused" to "unused" in apparmor_parser to fix compilation + on openSUSE <= 13.1 x86_64 (bnc#895495) + - usr.lib.dovecot.auth profile: allow access to auth-token-secret.dat + - various small profile improvements + - update and add several testcases +- drop upstreamed patch apparmor-profiles-dnsmasq-iface-mtu.patch +- re-number remaining patches + ------------------------------------------------------------------- Sun Sep 28 19:25:32 UTC 2014 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 50ce296..f58d3ae 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -60,7 +60,7 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.8.96 +Version: 2.8.97 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -80,16 +80,13 @@ Patch1: apparmor-enable-profile-cache.diff Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. -Patch5: apparmor-utils-string-split +Patch3: apparmor-utils-string-split # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions -Patch12: apparmor-2.5.1-edirectory-profile +Patch4: apparmor-2.5.1-edirectory-profile # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de -Patch22: ruby-2_0-mkmf-destdir.patch - -# allow dnsmasq to read access to IPv6 config (bnc#892374) (commited upstream trunk r2657, 2.8 branch r2140) -Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch +Patch5: ruby-2_0-mkmf-destdir.patch Url: https://launchpad.net/apparmor PreReq: sed @@ -312,10 +309,10 @@ Requires: apparmor-parser(CAP_SYSLOG) BuildArch: noarch %description abstractions -AppArmor abstractions (common parts used in various profiles) and +AppArmor abstractions (common parts used in various profiles) and the /etc/apparmor.d/ directory structure. -AppArmor is a file and network mandatory access control mechanism. +AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. @@ -422,16 +419,14 @@ SubDomain. %setup -q %patch1 -p1 %patch2 -%patch5 -p1 -%patch12 +%patch3 -p1 +%patch4 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) %if 0%{?suse_version} > 1230 -%patch22 -p1 +%patch5 -p1 %endif -%patch28 -p1 - %build echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1