diff --git a/apparmor.changes b/apparmor.changes index 07c0e0b..5801949 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jan 29 20:56:13 UTC 2024 - Christian Boltz + +- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute + unix_chkpwd, and add a profile for unix_chkpwd. This is needed + for PAM 1.6 (boo#1219139) +- Refresh apparmor.keyring - the key was renewed + ------------------------------------------------------------------- Wed Nov 8 18:19:36 UTC 2023 - Christian Boltz diff --git a/apparmor.keyring b/apparmor.keyring index bd83a07..dd2dba6 100644 --- a/apparmor.keyring +++ b/apparmor.keyring @@ -1,5 +1,4 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc @@ -38,28 +37,53 @@ AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f /BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82 vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX -eNk5l60Ensk0WWA/sz1732WzhTtRuQINBFUwHrABEACzq2cDh5gGH419PwIGmkxY -rZWyVglmXPI/4sf/dAqyrr/FRkSNW+VZzw/yLVfA4zW9ttYReJsmFKqXpSoF8ci5 -RfZf1fba9xv4I5x4WBGNcaUZzdKm7vMW/reJRDsNw7f6zvL9VlUUtlL8lSnsObbE -yCrI8oMUwJzu8ojFMiUfRfmQ0IQrYC8hFgmMkknsG6gQTrKSX3xDmFPeAaN11TA1 -9thm+GrcEbKvDMiS5RGG924Lmz+67C+hmKc6HRvDPkNp6prDmiMiLkCun6qQQC5b -jdO3yKlEuhxeNcNAxKIEpv5Syy9gEXXT8DeLQmutSHHb1SYSMB6mzX7b+3wtka+E -uCwWk3VrutpOHD0HCJMMtxbLrtlyq8v+3m8v9tyfNBVaeFyR7IEt9ciGiIe5eNw8 -R3E3BRGEIW7ABs55rnA47mmVO6nBGq8VMriLCeVSO7I/D+9enSvcTng78PK99iBW -7e6gbGtGUXLpvx/bu61HpQrnG4DWVJ7jk6W2bbSLclT8DwJDQiN+poamNuoQjqAW -xrxsYPNRsc6/Ro0LJMXAkc0xQqShtXl2pdCdJroj8gXq3i3HpQfDZrjzNbW02gMN -HSCR5QpmGS4UrL8ex+3DYnGUZh/SxMVVVbRQ4dPbO5yTbwDdaQkAenA6Faj4lM7S -jv4ToiG6Ld6c6UMU1B5CVQARAQABiQIlBBgBCgAPBQJVMB6wAhsMBQkPCZwAAAoJ -EGaJ5k49NmS7LfwP/0M+kTh5bviy4rr6OtCUnd/qCob/DBLkbCbHrEZz/+2yUQa1 -IS93BjKrU2umD/CcMEU0F6yltHr7QtFufWEkcz1HvfRru2H1B3rrNxr1cab0ek7K -+456gN5Os2/jP/1L4BsAjAPii1wthpH59z8m333L2uDnkkd8cUTaIW+TBPG2wN2C -OJ+Pgyd9SAaqpVFmO0CoLhWixyK42OJTbm12SyeUq2VlVX+v+S2rql64RZJI9Kcn -N/36kWAgMdDuCpa8XEhJP2DxC8QcFyduP7/ZdYJZNWuiny6VP+HKblP6Imnc6xjz -HXSQauDsp5hUuxz+aLaAJSS1yBA23lfdhf+Yfu4ruMGFICdHXAkRXBt2JFIVskt3 -cL/tBrNEkDi0JG6FzYAS9gLJIyvlJlElgXXF0OZl60kjh254xRDEH5Q8/spBDdzw -0FkHS3hPWjM3sDSSZuX9YAZDzw0wQGM6sl4y+BX8I2JerhF9SIS606NAaT+06kOH -5wa4S51u6XN+UdXoXa6XSo/fqhVHt/5Mu1A90gMkA65ji0X+Xu/Yoo3Ui1Tx584t -qtHJFnDQa4wJbmjB7uzqbpkk7xKFII1vgLayS8MkFvg+lnmjvgr/ve0hoHZnVCSz -md9kZgGkKQfTaGFIZRc24D44tcIL1K20B+cskRqhpee7EGaba7sazdpVk3A0 -=dwg6 +eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC +AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ +ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP +AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp +yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL +oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7 +ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9 +HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT +KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC +qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl +9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv +YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi +u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttG5Ag0E +VTAesAEQALOrZwOHmAYfjX0/AgaaTFitlbJWCWZc8j/ix/90CrKuv8VGRI1b5VnP +D/ItV8DjNb221hF4myYUqpelKgXxyLlF9l/V9tr3G/gjnHhYEY1xpRnN0qbu8xb+ +t4lEOw3Dt/rO8v1WVRS2UvyVKew5tsTIKsjygxTAnO7yiMUyJR9F+ZDQhCtgLyEW +CYySSewbqBBOspJffEOYU94Bo3XVMDX22Gb4atwRsq8MyJLlEYb3bgubP7rsL6GY +pzodG8M+Q2nqmsOaIyIuQK6fqpBALluN07fIqUS6HF41w0DEogSm/lLLL2ARddPw +N4tCa61IcdvVJhIwHqbNftv7fC2Rr4S4LBaTdWu62k4cPQcIkwy3Fsuu2XKry/7e +by/23J80FVp4XJHsgS31yIaIh7l43DxHcTcFEYQhbsAGznmucDjuaZU7qcEarxUy +uIsJ5VI7sj8P716dK9xOeDvw8r32IFbt7qBsa0ZRcum/H9u7rUelCucbgNZUnuOT +pbZttItyVPwPAkNCI36mhqY26hCOoBbGvGxg81Gxzr9GjQskxcCRzTFCpKG1eXal +0J0muiPyBereLcelB8NmuPM1tbTaAw0dIJHlCmYZLhSsvx7H7cNicZRmH9LExVVV +tFDh09s7nJNvAN1pCQB6cDoVqPiUztKO/hOiIbot3pzpQxTUHkJVABEBAAGJAiUE +GAEKAA8FAlUwHrACGwwFCQ8JnAAACgkQZonmTj02ZLst/A//Qz6ROHlu+LLiuvo6 +0JSd3+oKhv8MEuRsJsesRnP/7bJRBrUhL3cGMqtTa6YP8JwwRTQXrKW0evtC0W59 +YSRzPUe99Gu7YfUHeus3GvVxpvR6Tsr7jnqA3k6zb+M//UvgGwCMA+KLXC2Gkfn3 +Pybffcva4OeSR3xxRNohb5ME8bbA3YI4n4+DJ31IBqqlUWY7QKguFaLHIrjY4lNu +bXZLJ5SrZWVVf6/5LauqXrhFkkj0pyc3/fqRYCAx0O4KlrxcSEk/YPELxBwXJ24/ +v9l1glk1a6KfLpU/4cpuU/oiadzrGPMddJBq4OynmFS7HP5otoAlJLXIEDbeV92F +/5h+7iu4wYUgJ0dcCRFcG3YkUhWyS3dwv+0Gs0SQOLQkboXNgBL2AskjK+UmUSWB +dcXQ5mXrSSOHbnjFEMQflDz+ykEN3PDQWQdLeE9aMzewNJJm5f1gBkPPDTBAYzqy +XjL4FfwjYl6uEX1IhLrTo0BpP7TqQ4fnBrhLnW7pc35R1ehdrpdKj9+qFUe3/ky7 +UD3SAyQDrmOLRf5e79iijdSLVPHnzi2q0ckWcNBrjAluaMHu7OpumSTvEoUgjW+A +trJLwyQW+D6WeaO+Cv+97SGgdmdUJLOZ32RmAaQpB9NoYUhlFzbgPji1wgvUrbQH +5yyRGqGl57sQZptruxrN2lWTcDSJAjwEGAEKACYCGwwWIQQ+zcul+zTSVJYcxT9m +ieZOPTZkuwUCZFENowUJEQIicwAKCRBmieZOPTZku47eEAC2yveESIGTnAcyJW04 +6igIK4NRwdfF89TDO5rJa8ZrKhbPw2Qk6CNf575cLj4/CMo6oJV3zv4a4CXztZ2B +8ObJ83pWX8AErQxA4dZdd2J+wl+5bPfeXI1Rm7FmOm32IrJfBI5hRSCq8/GBagaF +xnX5BTmnnWiDRKviodZ3kb9JVl4r1Nj4ELfC2eWpkp9KsAtrP48vK7DD7wP2uc/Z +ngCVzzSiWRLFOsUyVssYjgKZlFGYZ0w0kcTJoeoCTXU1/YvudFjeYb9vHBCJIoDU +NZi4Szxww6bnhgeCldP7Hr9rqwuPk8ReVcvbQOThORubY79oGdCp+ZmmoMFqAlDL +PektIdi0ZoP1a/u/d7qWTutLfkSHL2xwITtjVQtYY3wsuf9FVua8sksohSXuYW+d +DvP76y5EHZjituhykWm1SB74vy7XwxTJqhwTUgjdjc6Mwm4wu2eGCarfSTPrEin3 +X6oFB7TUFddDc8gADKmPsy+Q2ts7RAZzl1dPQEmHBhwbH9ifXtahQjlg7XKYN7A6 +ByfDxcono0VHBte5gTHIoi9k7CwEIHqjlHphpCORnzFemu52kdSN49gwrqK5hGTr +uv0BfG/LcYu2px9O2b65QTcR4nF1Zr07XfzL3pMUHsDquYBS67L2FnyXwOEfxRnX +EC34BZpyVkv7QfB5AuuQGbIeFQ== +=QOb0 -----END PGP PUBLIC KEY BLOCK----- diff --git a/apparmor.spec b/apparmor.spec index 2602e4d..16f7441 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -1,8 +1,8 @@ # # spec file for package apparmor # -# Copyright (c) 2023 SUSE LLC -# Copyright (c) 2011-2022 Christian Boltz +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2011-2024 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -97,6 +97,9 @@ Patch7: apparmor-enable-precompiled-cache.diff # Upstream MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121 (merged 2023-11-08 into master, 3.1 and 3.0) Patch8: apparmor-systemd-sessions.patch +# allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139) +Patch9: dovecot-unix_chkpwd.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison @@ -365,6 +368,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %patch7 %endif %patch8 -p1 +%patch9 -p1 %build export SUSE_ASNEEDED=0 @@ -599,6 +603,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd %config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd %config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-* +%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd %config(noreplace) %{_sysconfdir}/apparmor.d/zgrep %config(noreplace) %{_sysconfdir}/apparmor.d/local/* %dir /usr/share/apparmor/ diff --git a/dovecot-unix_chkpwd.diff b/dovecot-unix_chkpwd.diff new file mode 100644 index 0000000..65a26ee --- /dev/null +++ b/dovecot-unix_chkpwd.diff @@ -0,0 +1,53 @@ +Index: apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd 2024-01-29 21:53:27.234254724 +0100 +@@ -0,0 +1,31 @@ ++# apparmor.d - Full set of apparmor profiles ++# Copyright (C) 2019-2021 Mikhail Morfikov ++# SPDX-License-Identifier: GPL-2.0-only ++ ++# The apparmor.d project comes with several variables and abstractions ++# that are not part of upstream AppArmor yet. Therefore this profile was ++# adopted to use abstractions and variables that are available. ++# Copyright (C) Christian Boltz 2024 ++ ++abi , ++ ++include ++ ++profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd { ++ include ++ include ++ ++ # To write records to the kernel auditing log. ++ capability audit_write, ++ ++ network netlink raw, ++ ++ /{,usr/}{,s}bin/unix_chkpwd mr, ++ ++ /etc/shadow r, ++ ++ # file_inherit ++ owner /dev/tty[0-9]* rw, ++ ++ include if exists ++} +Index: apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth +=================================================================== +--- apparmor-3.1.6.orig/profiles/apparmor.d/usr.lib.dovecot.auth 2023-06-21 23:13:41.000000000 +0200 ++++ apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth 2024-01-29 21:45:32.528140518 +0100 +@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib/dovecot/au + @{run}/dovecot/stats-user rw, + @{run}/dovecot/anvil-auth-penalty rw, + ++ owner /proc/@{pid}/loginuid r, ++ + /var/spool/postfix/private/auth rw, + ++ /usr/sbin/unix_chkpwd Px, ++ + # Site-specific additions and overrides. See local/README for details. + include if exists + } diff --git a/libapparmor.spec b/libapparmor.spec index 0802f37..f5293e0 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -1,8 +1,8 @@ # # spec file for package libapparmor # -# Copyright (c) 2023 SUSE LLC -# Copyright (c) 2011-2022 Christian Boltz +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2011-2024 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed