diff --git a/apparmor.changes b/apparmor.changes index dadc216..d2f4a42 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 7 19:58:19 UTC 2019 - Christian Boltz + +- add usr-etc-abstractions-authentification.diff to allow reading + /usr/etc/pam.d/* and some other authentification-related files (boo#1153162) + ------------------------------------------------------------------- Sat Sep 28 15:20:10 UTC 2019 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index 2d2c09b..77d6c4f 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -71,6 +71,9 @@ Patch6: apparmor-krb5-conf-d.diff # add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30) Patch7: abstractions-ssl-certbot-paths.diff +# allow reading /usr/etc/pam.d/* and some other authentification-related files (submitted upstream 2019-10-07 https://gitlab.com/apparmor/apparmor/merge_requests/426) +Patch8: usr-etc-abstractions-authentification.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -361,6 +364,7 @@ SubDomain. %patch5 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build %define _lto_cflags %{nil} diff --git a/usr-etc-abstractions-authentification.diff b/usr-etc-abstractions-authentification.diff new file mode 100644 index 0000000..2aa5324 --- /dev/null +++ b/usr-etc-abstractions-authentification.diff @@ -0,0 +1,60 @@ +commit ee7194a7141b99225bb1d040ef2d37ad47ca838e +Author: Christian Boltz +Date: Mon Oct 7 21:47:25 2019 +0200 + + Allow /usr/etc/ in abstractions/authentication + + openSUSE (and hopefully some other distributions) work on moving shipped + config files from /etc/ to /usr/etc/ so that /etc/ only contains files + written by the admin of each system. + + See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and + the first moved files. + + Updating abstractions/authentication is the first step, and also fixes + bugzilla.opensuse.org/show_bug.cgi?id=1153162 + +diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication +index b92516f9..58efe6b9 100644 +--- a/profiles/apparmor.d/abstractions/authentication ++++ b/profiles/apparmor.d/abstractions/authentication +@@ -2,6 +2,7 @@ + # + # Copyright (C) 2002-2009 Novell/SUSE + # Copyright (C) 2009-2012 Canonical Ltd ++# Copyright (C) 2019 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -14,13 +15,13 @@ + # Some services need to perform authentication of users + # Such authentication almost certainly needs access to the local users + # databases containing passwords, PAM configuration files, PAM libraries +- /etc/nologin r, +- /etc/pam.d/* r, +- /etc/securetty r, +- /etc/security/* r, +- /etc/shadow r, +- /etc/gshadow r, +- /etc/pwdb.conf r, ++ /{usr/,}etc/nologin r, ++ /{usr/,}etc/pam.d/* r, ++ /{usr/,}etc/securetty r, ++ /{usr/,}etc/security/* r, ++ /{usr/,}etc/shadow r, ++ /{usr/,}etc/gshadow r, ++ /{usr/,}etc/pwdb.conf r, + + /{usr/,}lib{,32,64}/security/pam_filter/* mr, + /{usr/,}lib{,32,64}/security/pam_*.so mr, +@@ -32,8 +33,8 @@ + # kerberos + #include + # SuSE's pwdutils are different: +- /etc/default/passwd r, +- /etc/login.defs r, ++ /{usr/,}etc/default/passwd r, ++ /{usr/,}etc/login.defs r, + + # nis + #include