Accepting request 88695 from security:apparmor:factory

- include autogenerated profile sniplet for samba shares (bnc#688040)
- more helpful error message for "aa-notify -p" if the user is not in
  the configured group

OBS-URL: https://build.opensuse.org/request/show/88695
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=26

apparmor-2.7.0rc1-aa-notify-better-error-message.diff

@@ -0,0 +1,21 @@
+Add a more helpful error message to aa-notify -p if the user is not in 
+the configured group.
+
+Pending for review upstream.
+
+
+Signed-off-by: Christian Boltz <apparmor@cboltz.de>
+
+=== modified file 'utils/aa-notify'
+--- utils/aa-notify	2011-10-12 11:08:25 +0000
++++ utils/aa-notify	2011-10-16 13:53:23 +0000
+@@ -151,7 +151,7 @@
+     if (defined($prefs{use_group})) {
+         my ($name, $passwd, $gid, $members) = getgrnam($prefs{use_group});
+         if (not defined($members) or not defined($login) or (not grep { $_ eq $login } split(/ /, $members) and $login ne "root")) {
+-            _error("'$login' must be in '$prefs{use_group}' group. Aborting");
++            _error("'$login' must be in '$prefs{use_group}' group. Aborting.\nAsk your admin to add you to this group or to change the group in\n$conf if you want to use aa-notify.");
+         }
+     }
+ }
+

apparmor-samba-include-permissions-for-shares.diff

@@ -0,0 +1,34 @@
+Samba generates a profile sniplet with permissions for all shares at 
+start using the update-apparmor-samba-profile script.
+
+This patch includes the autogenerated profile sniplet it in the smbd 
+profile. It also creates a dummy profile sniplet to avoid "file not 
+found" errors when AppArmor is started before samba was started.
+
+References: https://bugzilla.novell.com/show_bug.cgi?id=688040
+
+
+Signed-off-by: Christian Boltz <apparmor@cboltz.de>
+
+=== added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares'
+--- profiles/apparmor.d/local/usr.sbin.smbd-shares	1970-01-01 00:00:00 +0000
++++ profiles/apparmor.d/local/usr.sbin.smbd-shares	2011-10-19 09:40:05 +0000
+@@ -0,0 +1,2 @@
++# This file will be replaced by rules for all samba shares at samba start.
++# Do not edit!
+
+=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
+--- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
++++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
+@@ -40,6 +40,10 @@
+ 
+   @{HOMEDIRS}/** lrwk,
+ 
++  # permissions for all configured shares
++  # autogenerated by update-apparmor-samba-profile at samba start
++  #include <local/usr.sbin.smbd-shares>
++
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.sbin.smbd>
+ }
+

apparmor.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct 19 09:53:14 UTC 2011 - opensuse@cboltz.de
+
+- include autogenerated profile sniplet for samba shares (bnc#688040)
+- more helpful error message for "aa-notify -p" if the user is not in
+  the configured group
+
 -------------------------------------------------------------------
 Thu Oct 13 22:52:24 UTC 2011 - opensuse@cboltz.de
 

apparmor.spec

@@ -53,9 +53,15 @@ Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh
 
+# more helpful error message for "aa-notify -p" if the user is not in the configured group. Patch pending upstream.
+Patch:          apparmor-2.7.0rc1-aa-notify-better-error-message.diff
+
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff
 
+# include autogenerated profile sniplet for samba shares (bnc#688040)
+Patch2:         apparmor-samba-include-permissions-for-shares.diff
+
 # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
 Patch5:         apparmor-utils-string-split
 
@@ -400,7 +406,9 @@ SubDomain.
 
 %prep
 %setup -q -n %{name}-%{versiondir}
+%patch -p0
 %patch1 -p1
+%patch2 -p0
 %patch5 -p1
 #%patch10 -p1 # disabled, see above
 #%patch11 -p1 # disabled, see above