Accepting request 735944 from home:cboltz

- add usr-etc-abstractions-authentification.diff to allow reading
  /usr/etc/pam.d/* and some other authentification-related files (boo#1153162)

OBS-URL: https://build.opensuse.org/request/show/735944
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=252

apparmor.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct  7 19:58:19 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add usr-etc-abstractions-authentification.diff to allow reading
+  /usr/etc/pam.d/* and some other authentification-related files (boo#1153162)
+
 -------------------------------------------------------------------
 Sat Sep 28 15:20:10 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -71,6 +71,9 @@ Patch6:         apparmor-krb5-conf-d.diff
 # add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30)
 Patch7:         abstractions-ssl-certbot-paths.diff
 
+# allow reading /usr/etc/pam.d/* and some other authentification-related files (submitted upstream 2019-10-07 https://gitlab.com/apparmor/apparmor/merge_requests/426)
+Patch8:         usr-etc-abstractions-authentification.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -361,6 +364,7 @@ SubDomain.
 %patch5
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 %build
 %define _lto_cflags %{nil}

usr-etc-abstractions-authentification.diff

@@ -0,0 +1,60 @@
+commit ee7194a7141b99225bb1d040ef2d37ad47ca838e
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Mon Oct 7 21:47:25 2019 +0200
+
+    Allow /usr/etc/ in abstractions/authentication
+    
+    openSUSE (and hopefully some other distributions) work on moving shipped
+    config files from /etc/ to /usr/etc/ so that /etc/ only contains files
+    written by the admin of each system.
+    
+    See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
+    the first moved files.
+    
+    Updating abstractions/authentication is the first step, and also fixes
+    bugzilla.opensuse.org/show_bug.cgi?id=1153162
+
+diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
+index b92516f9..58efe6b9 100644
+--- a/profiles/apparmor.d/abstractions/authentication
++++ b/profiles/apparmor.d/abstractions/authentication
+@@ -2,6 +2,7 @@
+ #
+ #    Copyright (C) 2002-2009 Novell/SUSE
+ #    Copyright (C) 2009-2012 Canonical Ltd
++#    Copyright (C) 2019 Christian Boltz
+ #
+ #    This program is free software; you can redistribute it and/or
+ #    modify it under the terms of version 2 of the GNU General Public
+@@ -14,13 +15,13 @@
+   # Some services need to perform authentication of users
+   # Such authentication almost certainly needs access to the local users
+   # databases containing passwords, PAM configuration files, PAM libraries
+-  /etc/nologin                r,
+-  /etc/pam.d/*                r,
+-  /etc/securetty              r,
+-  /etc/security/*             r,
+-  /etc/shadow                 r,
+-  /etc/gshadow                r,
+-  /etc/pwdb.conf              r,
++  /{usr/,}etc/nologin                r,
++  /{usr/,}etc/pam.d/*                r,
++  /{usr/,}etc/securetty              r,
++  /{usr/,}etc/security/*             r,
++  /{usr/,}etc/shadow                 r,
++  /{usr/,}etc/gshadow                r,
++  /{usr/,}etc/pwdb.conf              r,
+ 
+   /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
+   /{usr/,}lib{,32,64}/security/pam_*.so      mr,
+@@ -32,8 +33,8 @@
+   # kerberos
+   #include <abstractions/kerberosclient>
+   # SuSE's pwdutils are different:
+-  /etc/default/passwd         r,
+-  /etc/login.defs             r,
++  /{usr/,}etc/default/passwd         r,
++  /{usr/,}etc/login.defs             r,
+ 
+   # nis
+   #include <abstractions/nis>