From 3350370468cca227ccb64a06fff3bed25b000a1b75755f70b153b218715b0242 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Mon, 16 Sep 2013 20:26:54 +0000
Subject: [PATCH] Accepting request 199292 from
 home:seife:branches:security:apparmor

fix ntp by allowing read access to openssl.cnf (see comment in patch)

OBS-URL: https://build.opensuse.org/request/show/199292
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=46
---
 apparmor-2.8.2-fix-ntpd-profile.diff | 27 +++++++++++++++++++++++++++
 apparmor.changes                     |  5 +++++
 apparmor.spec                        |  4 ++++
 3 files changed, 36 insertions(+)
 create mode 100644 apparmor-2.8.2-fix-ntpd-profile.diff

diff --git a/apparmor-2.8.2-fix-ntpd-profile.diff b/apparmor-2.8.2-fix-ntpd-profile.diff
new file mode 100644
index 0000000..0177999
--- /dev/null
+++ b/apparmor-2.8.2-fix-ntpd-profile.diff
@@ -0,0 +1,27 @@
+Patch-Author: Stefan Seyfried <seife+obs@b1-systems.com>
+
+After this change in ntp:
+
+* Mo Aug 19 2013 crrodriguez@opensuse.org
+- Build with -DOPENSSL_LOAD_CONF , ntp must respect and use
+  the system's openssl configuration.
+
+we need to read openssl.cnf or starting of ntpd will fail silently(!)
+
+Index: b/profiles/apparmor.d/usr.sbin.ntpd
+===================================================================
+--- a/profiles/apparmor.d/usr.sbin.ntpd
++++ b/profiles/apparmor.d/usr.sbin.ntpd
+@@ -38,10 +38,12 @@
+   /etc/ntp/step-tickers r,
+   /etc/ntpd.conf r,
+   /etc/ntpd.conf.tmp r,
+   /etc/gai.conf r,
+ 
++  /etc/ssl/openssl.cnf r,
++
+   /tmp/ntp* rwl,
+   /usr/sbin/ntpd rmix,
+   /var/lib/ntp/drift rwl,
+   /var/lib/ntp/drift.TEMP rwl,
+   /var/lib/ntp/drift/ntp.drift rw,
diff --git a/apparmor.changes b/apparmor.changes
index 1633bd7..986dee7 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Sep 16 18:23:46 UTC 2013 - seife+obs@b1-systems.com
+
+- fix ntp by allowing read access to openssl.cnf
+
 -------------------------------------------------------------------
 Thu Sep 12 20:40:38 UTC 2013 - opensuse@cboltz.de
 
diff --git a/apparmor.spec b/apparmor.spec
index 522df9b..e1b58ab 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -97,6 +97,9 @@ Patch5:         apparmor-utils-string-split
 # make apparmor/__init__.py ready for the new tools developed in GSoC. Submitted upstream 2013-09-12
 Patch6:         apparmor-init.py-gsoc.diff
 
+# fix ntpd after configuration change
+Patch7:         apparmor-2.8.2-fix-ntpd-profile.diff
+
 # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile
 
@@ -467,6 +470,7 @@ SubDomain.
 %patch4
 %patch5 -p1
 %patch6
+%patch7 -p1
 %patch12 -p1
 
 # only create Immunix::SubDomain perl module for openSUSE <= 12.1