Accepting request 1142650 from security:apparmor
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139) - Refresh apparmor.keyring - the key was renewed (forwarded request 1142649 from cboltz) OBS-URL: https://build.opensuse.org/request/show/1142650 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=199
This commit is contained in:
Ana Guerrero
Git OBS Bridge
commit
32180a3adb
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 29 20:56:13 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
|
||||||
|
|
||||||
|
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
|
||||||
|
unix_chkpwd, and add a profile for unix_chkpwd. This is needed
|
||||||
|
for PAM 1.6 (boo#1219139)
|
||||||
|
- Refresh apparmor.keyring - the key was renewed
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Nov 8 18:19:36 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
|
Wed Nov 8 18:19:36 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,4 @@
|
|||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
Version: GnuPG v2
|
|
||||||
|
|
||||||
mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
|
mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
|
||||||
GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
|
GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
|
||||||
@ -38,28 +37,53 @@ AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f
|
|||||||
/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
|
/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
|
||||||
vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
|
vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
|
||||||
pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
|
pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
|
||||||
eNk5l60Ensk0WWA/sz1732WzhTtRuQINBFUwHrABEACzq2cDh5gGH419PwIGmkxY
|
eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC
|
||||||
rZWyVglmXPI/4sf/dAqyrr/FRkSNW+VZzw/yLVfA4zW9ttYReJsmFKqXpSoF8ci5
|
AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ
|
||||||
RfZf1fba9xv4I5x4WBGNcaUZzdKm7vMW/reJRDsNw7f6zvL9VlUUtlL8lSnsObbE
|
ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP
|
||||||
yCrI8oMUwJzu8ojFMiUfRfmQ0IQrYC8hFgmMkknsG6gQTrKSX3xDmFPeAaN11TA1
|
AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp
|
||||||
9thm+GrcEbKvDMiS5RGG924Lmz+67C+hmKc6HRvDPkNp6prDmiMiLkCun6qQQC5b
|
yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL
|
||||||
jdO3yKlEuhxeNcNAxKIEpv5Syy9gEXXT8DeLQmutSHHb1SYSMB6mzX7b+3wtka+E
|
oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7
|
||||||
uCwWk3VrutpOHD0HCJMMtxbLrtlyq8v+3m8v9tyfNBVaeFyR7IEt9ciGiIe5eNw8
|
ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9
|
||||||
R3E3BRGEIW7ABs55rnA47mmVO6nBGq8VMriLCeVSO7I/D+9enSvcTng78PK99iBW
|
HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT
|
||||||
7e6gbGtGUXLpvx/bu61HpQrnG4DWVJ7jk6W2bbSLclT8DwJDQiN+poamNuoQjqAW
|
KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC
|
||||||
xrxsYPNRsc6/Ro0LJMXAkc0xQqShtXl2pdCdJroj8gXq3i3HpQfDZrjzNbW02gMN
|
qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl
|
||||||
HSCR5QpmGS4UrL8ex+3DYnGUZh/SxMVVVbRQ4dPbO5yTbwDdaQkAenA6Faj4lM7S
|
9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv
|
||||||
jv4ToiG6Ld6c6UMU1B5CVQARAQABiQIlBBgBCgAPBQJVMB6wAhsMBQkPCZwAAAoJ
|
YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi
|
||||||
EGaJ5k49NmS7LfwP/0M+kTh5bviy4rr6OtCUnd/qCob/DBLkbCbHrEZz/+2yUQa1
|
u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttG5Ag0E
|
||||||
IS93BjKrU2umD/CcMEU0F6yltHr7QtFufWEkcz1HvfRru2H1B3rrNxr1cab0ek7K
|
VTAesAEQALOrZwOHmAYfjX0/AgaaTFitlbJWCWZc8j/ix/90CrKuv8VGRI1b5VnP
|
||||||
+456gN5Os2/jP/1L4BsAjAPii1wthpH59z8m333L2uDnkkd8cUTaIW+TBPG2wN2C
|
D/ItV8DjNb221hF4myYUqpelKgXxyLlF9l/V9tr3G/gjnHhYEY1xpRnN0qbu8xb+
|
||||||
OJ+Pgyd9SAaqpVFmO0CoLhWixyK42OJTbm12SyeUq2VlVX+v+S2rql64RZJI9Kcn
|
t4lEOw3Dt/rO8v1WVRS2UvyVKew5tsTIKsjygxTAnO7yiMUyJR9F+ZDQhCtgLyEW
|
||||||
N/36kWAgMdDuCpa8XEhJP2DxC8QcFyduP7/ZdYJZNWuiny6VP+HKblP6Imnc6xjz
|
CYySSewbqBBOspJffEOYU94Bo3XVMDX22Gb4atwRsq8MyJLlEYb3bgubP7rsL6GY
|
||||||
HXSQauDsp5hUuxz+aLaAJSS1yBA23lfdhf+Yfu4ruMGFICdHXAkRXBt2JFIVskt3
|
pzodG8M+Q2nqmsOaIyIuQK6fqpBALluN07fIqUS6HF41w0DEogSm/lLLL2ARddPw
|
||||||
cL/tBrNEkDi0JG6FzYAS9gLJIyvlJlElgXXF0OZl60kjh254xRDEH5Q8/spBDdzw
|
N4tCa61IcdvVJhIwHqbNftv7fC2Rr4S4LBaTdWu62k4cPQcIkwy3Fsuu2XKry/7e
|
||||||
0FkHS3hPWjM3sDSSZuX9YAZDzw0wQGM6sl4y+BX8I2JerhF9SIS606NAaT+06kOH
|
by/23J80FVp4XJHsgS31yIaIh7l43DxHcTcFEYQhbsAGznmucDjuaZU7qcEarxUy
|
||||||
5wa4S51u6XN+UdXoXa6XSo/fqhVHt/5Mu1A90gMkA65ji0X+Xu/Yoo3Ui1Tx584t
|
uIsJ5VI7sj8P716dK9xOeDvw8r32IFbt7qBsa0ZRcum/H9u7rUelCucbgNZUnuOT
|
||||||
qtHJFnDQa4wJbmjB7uzqbpkk7xKFII1vgLayS8MkFvg+lnmjvgr/ve0hoHZnVCSz
|
pbZttItyVPwPAkNCI36mhqY26hCOoBbGvGxg81Gxzr9GjQskxcCRzTFCpKG1eXal
|
||||||
md9kZgGkKQfTaGFIZRc24D44tcIL1K20B+cskRqhpee7EGaba7sazdpVk3A0
|
0J0muiPyBereLcelB8NmuPM1tbTaAw0dIJHlCmYZLhSsvx7H7cNicZRmH9LExVVV
|
||||||
=dwg6
|
tFDh09s7nJNvAN1pCQB6cDoVqPiUztKO/hOiIbot3pzpQxTUHkJVABEBAAGJAiUE
|
||||||
|
GAEKAA8FAlUwHrACGwwFCQ8JnAAACgkQZonmTj02ZLst/A//Qz6ROHlu+LLiuvo6
|
||||||
|
0JSd3+oKhv8MEuRsJsesRnP/7bJRBrUhL3cGMqtTa6YP8JwwRTQXrKW0evtC0W59
|
||||||
|
YSRzPUe99Gu7YfUHeus3GvVxpvR6Tsr7jnqA3k6zb+M//UvgGwCMA+KLXC2Gkfn3
|
||||||
|
Pybffcva4OeSR3xxRNohb5ME8bbA3YI4n4+DJ31IBqqlUWY7QKguFaLHIrjY4lNu
|
||||||
|
bXZLJ5SrZWVVf6/5LauqXrhFkkj0pyc3/fqRYCAx0O4KlrxcSEk/YPELxBwXJ24/
|
||||||
|
v9l1glk1a6KfLpU/4cpuU/oiadzrGPMddJBq4OynmFS7HP5otoAlJLXIEDbeV92F
|
||||||
|
/5h+7iu4wYUgJ0dcCRFcG3YkUhWyS3dwv+0Gs0SQOLQkboXNgBL2AskjK+UmUSWB
|
||||||
|
dcXQ5mXrSSOHbnjFEMQflDz+ykEN3PDQWQdLeE9aMzewNJJm5f1gBkPPDTBAYzqy
|
||||||
|
XjL4FfwjYl6uEX1IhLrTo0BpP7TqQ4fnBrhLnW7pc35R1ehdrpdKj9+qFUe3/ky7
|
||||||
|
UD3SAyQDrmOLRf5e79iijdSLVPHnzi2q0ckWcNBrjAluaMHu7OpumSTvEoUgjW+A
|
||||||
|
trJLwyQW+D6WeaO+Cv+97SGgdmdUJLOZ32RmAaQpB9NoYUhlFzbgPji1wgvUrbQH
|
||||||
|
5yyRGqGl57sQZptruxrN2lWTcDSJAjwEGAEKACYCGwwWIQQ+zcul+zTSVJYcxT9m
|
||||||
|
ieZOPTZkuwUCZFENowUJEQIicwAKCRBmieZOPTZku47eEAC2yveESIGTnAcyJW04
|
||||||
|
6igIK4NRwdfF89TDO5rJa8ZrKhbPw2Qk6CNf575cLj4/CMo6oJV3zv4a4CXztZ2B
|
||||||
|
8ObJ83pWX8AErQxA4dZdd2J+wl+5bPfeXI1Rm7FmOm32IrJfBI5hRSCq8/GBagaF
|
||||||
|
xnX5BTmnnWiDRKviodZ3kb9JVl4r1Nj4ELfC2eWpkp9KsAtrP48vK7DD7wP2uc/Z
|
||||||
|
ngCVzzSiWRLFOsUyVssYjgKZlFGYZ0w0kcTJoeoCTXU1/YvudFjeYb9vHBCJIoDU
|
||||||
|
NZi4Szxww6bnhgeCldP7Hr9rqwuPk8ReVcvbQOThORubY79oGdCp+ZmmoMFqAlDL
|
||||||
|
PektIdi0ZoP1a/u/d7qWTutLfkSHL2xwITtjVQtYY3wsuf9FVua8sksohSXuYW+d
|
||||||
|
DvP76y5EHZjituhykWm1SB74vy7XwxTJqhwTUgjdjc6Mwm4wu2eGCarfSTPrEin3
|
||||||
|
X6oFB7TUFddDc8gADKmPsy+Q2ts7RAZzl1dPQEmHBhwbH9ifXtahQjlg7XKYN7A6
|
||||||
|
ByfDxcono0VHBte5gTHIoi9k7CwEIHqjlHphpCORnzFemu52kdSN49gwrqK5hGTr
|
||||||
|
uv0BfG/LcYu2px9O2b65QTcR4nF1Zr07XfzL3pMUHsDquYBS67L2FnyXwOEfxRnX
|
||||||
|
EC34BZpyVkv7QfB5AuuQGbIeFQ==
|
||||||
|
=QOb0
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
|||||||
@ -1,8 +1,8 @@
|
|||||||
#
|
#
|
||||||
# spec file for package apparmor
|
# spec file for package apparmor
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
# Copyright (c) 2011-2022 Christian Boltz
|
# Copyright (c) 2011-2024 Christian Boltz
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -97,6 +97,9 @@ Patch7: apparmor-enable-precompiled-cache.diff
|
|||||||
# Upstream MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121 (merged 2023-11-08 into master, 3.1 and 3.0)
|
# Upstream MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121 (merged 2023-11-08 into master, 3.1 and 3.0)
|
||||||
Patch8: apparmor-systemd-sessions.patch
|
Patch8: apparmor-systemd-sessions.patch
|
||||||
|
|
||||||
|
# allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139)
|
||||||
|
Patch9: dovecot-unix_chkpwd.diff
|
||||||
|
|
||||||
PreReq: sed
|
PreReq: sed
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
@ -365,6 +368,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
|
|||||||
%patch7
|
%patch7
|
||||||
%endif
|
%endif
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export SUSE_ASNEEDED=0
|
export SUSE_ASNEEDED=0
|
||||||
@ -599,6 +603,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
|||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
|
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
|
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
|
||||||
|
%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
|
%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
||||||
%dir /usr/share/apparmor/
|
%dir /usr/share/apparmor/
|
||||||
|
|||||||
53
dovecot-unix_chkpwd.diff
Normal file
53
dovecot-unix_chkpwd.diff
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
Index: apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||||
|
+++ apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd 2024-01-29 21:53:27.234254724 +0100
|
||||||
|
@@ -0,0 +1,31 @@
|
||||||
|
+# apparmor.d - Full set of apparmor profiles
|
||||||
|
+# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
+# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
+
|
||||||
|
+# The apparmor.d project comes with several variables and abstractions
|
||||||
|
+# that are not part of upstream AppArmor yet. Therefore this profile was
|
||||||
|
+# adopted to use abstractions and variables that are available.
|
||||||
|
+# Copyright (C) Christian Boltz 2024
|
||||||
|
+
|
||||||
|
+abi <abi/3.0>,
|
||||||
|
+
|
||||||
|
+include <tunables/global>
|
||||||
|
+
|
||||||
|
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
||||||
|
+ include <abstractions/base>
|
||||||
|
+ include <abstractions/nameservice>
|
||||||
|
+
|
||||||
|
+ # To write records to the kernel auditing log.
|
||||||
|
+ capability audit_write,
|
||||||
|
+
|
||||||
|
+ network netlink raw,
|
||||||
|
+
|
||||||
|
+ /{,usr/}{,s}bin/unix_chkpwd mr,
|
||||||
|
+
|
||||||
|
+ /etc/shadow r,
|
||||||
|
+
|
||||||
|
+ # file_inherit
|
||||||
|
+ owner /dev/tty[0-9]* rw,
|
||||||
|
+
|
||||||
|
+ include if exists <local/unix-chkpwd>
|
||||||
|
+}
|
||||||
|
Index: apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||||
|
===================================================================
|
||||||
|
--- apparmor-3.1.6.orig/profiles/apparmor.d/usr.lib.dovecot.auth 2023-06-21 23:13:41.000000000 +0200
|
||||||
|
+++ apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth 2024-01-29 21:45:32.528140518 +0100
|
||||||
|
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib/dovecot/au
|
||||||
|
@{run}/dovecot/stats-user rw,
|
||||||
|
@{run}/dovecot/anvil-auth-penalty rw,
|
||||||
|
|
||||||
|
+ owner /proc/@{pid}/loginuid r,
|
||||||
|
+
|
||||||
|
/var/spool/postfix/private/auth rw,
|
||||||
|
|
||||||
|
+ /usr/sbin/unix_chkpwd Px,
|
||||||
|
+
|
||||||
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
|
include if exists <local/usr.lib.dovecot.auth>
|
||||||
|
}
|
||||||
@ -1,8 +1,8 @@
|
|||||||
#
|
#
|
||||||
# spec file for package libapparmor
|
# spec file for package libapparmor
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
# Copyright (c) 2011-2022 Christian Boltz
|
# Copyright (c) 2011-2024 Christian Boltz
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user