Accepting request 733763 from home:luizluca:branches:security:apparmor

- add apparmor-krb5-conf-d.diff for kerberos client Since https://build.opensuse.org/package/rdiff/network/krb5?linkrev=base&rev=204, it is possible to use configuration snippets for krb5.conf. However, any service under apparmor will not be able to read it. As /etc/krb5.conf.d is default for SUSE but not for upstream apparmor, the patch might not be accepted upstream. LEAP15(.1) should also get this fix. OBS-URL: https://build.opensuse.org/request/show/733763 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=249
2019-09-28 15:13:31 +00:00 · 2019-09-28 15:13:31 +00:00 · 34919fc720
commit 34919fc720
parent c2744d57c4
3 changed files with 37 additions and 0 deletions
--- a/apparmor-krb5-conf-d.diff
+++ b/apparmor-krb5-conf-d.diff
@ -0,0 +1,28 @@
+From 1e37af227ec977efe1a6b6454f5a801c4c04e886 Mon Sep 17 00:00:00 2001
+From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+Date: Fri, 27 Sep 2019 18:34:20 -0300
+Subject: [PATCH] abstractions/kerberosclient: allow /etc/krb5.conf.d
+
+Permit the use of /etc/krb5.conf.d configuration snippets
+
+Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+---
+ profiles/apparmor.d/abstractions/kerberosclient | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
+index 8b08c146..7cb1f9e0 100644
+--- a/profiles/apparmor.d/abstractions/kerberosclient
+++ b/profiles/apparmor.d/abstractions/kerberosclient
+@@ -22,6 +22,8 @@
+ 
+   /etc/krb5.keytab            rk,
+   /etc/krb5.conf              r,
+  /etc/krb5.conf.d/           r,
+  /etc/krb5.conf.d/*          r,
+ 
+   # config files found via strings on libs
+   /etc/krb.conf               r,
+-- 
+2.23.0
+
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Sep 27 21:43:55 UTC 2019 - Luiz Angelo Daros de Luca <luizluca@tre-sc.jus.br>
+
+- add apparmor-krb5-conf-d.diff for kerberos client
+
 -------------------------------------------------------------------
 Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -65,6 +65,9 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff

+# allow /etc/krb5.conf.d/ for kerberos client
+Patch6:         apparmor-krb5-conf-d.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -353,6 +356,7 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
+%patch6 -p1

 %build
 %define _lto_cflags %{nil}