Accepting request 89885 from security:apparmor:factory

Two fixes for AppArmor profiles:
- make abstractions/winbind working on 64bit systems
- allow loading the libraries for samba "vfs objects" also on 32bit 
  systems (bnc#725967)

Please forward these profile fixes to openSUSE 12.1.

OBS-URL: https://build.opensuse.org/request/show/89885
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=29
This commit is contained in:
Stephan Kulow 2011-11-02 10:44:00 +00:00 committed by Git OBS Bridge
parent ec4a0f5b29
commit 6058242ab8
4 changed files with 36 additions and 4 deletions

View File

@ -0,0 +1,21 @@
Make abstractions/winbind working on 64bit systems - valid.dat etc. are in
/usr/lib64/samba/ there
Signed-Off-by: Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
=== modified file 'profiles/apparmor.d/abstractions/winbind'
--- profiles/apparmor.d/abstractions/winbind 2010-12-20 20:29:10 +0000
+++ profiles/apparmor.d/abstractions/winbind 2011-11-01 15:56:49 +0000
@@ -13,7 +13,7 @@
/tmp/.winbindd/pipe rw,
/var/{lib,run}/samba/winbindd_privileged/pipe rw,
/etc/samba/smb.conf r,
- /usr/lib/samba/valid.dat r,
- /usr/lib/samba/upcase.dat r,
- /usr/lib/samba/lowcase.dat r,
+ /usr/lib*/samba/valid.dat r,
+ /usr/lib*/samba/upcase.dat r,
+ /usr/lib*/samba/lowcase.dat r,

View File

@ -12,7 +12,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
/etc/printcap r,
/proc/*/mounts r,
/proc/sys/kernel/core_pattern r,
+ /usr/lib64/samba/vfs/*.so mr,
+ /usr/lib*/samba/vfs/*.so mr,
/usr/sbin/smbd mr,
/etc/samba/* rwk,
/var/cache/samba/** rwk,

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Nov 1 17:39:29 UTC 2011 - opensuse@cboltz.de
- make abstractions/winbind working on 64bit systems
- allow loading the libraries for samba "vfs objects" also on 32bit
systems (bnc#725967)
-------------------------------------------------------------------
Wed Oct 26 20:48:16 UTC 2011 - opensuse@cboltz.de

View File

@ -53,7 +53,7 @@ Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
# more helpful error message for "aa-notify -p" if the user is not in the configured group. Patch pending upstream.
# more helpful error message for "aa-notify -p" if the user is not in the configured group. Commited upstream after 2.7rc1.
Patch: apparmor-2.7.0rc1-aa-notify-better-error-message.diff
# enable caching of profiles (= massive performance speedup when loading profiles)
@ -62,9 +62,12 @@ Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040)
Patch2: apparmor-samba-include-permissions-for-shares.diff
# allow samba "vfs objects" (bnc#725967)
# allow samba "vfs objects" (bnc#725967). Commited upstream after 2.7rc1.
Patch3: apparmor-samba-vfs-objects.diff
# make abstractions/winbind working on 64bit systems. Commited upstream after 2.7rc1.
Patch4: apparmor-abstractions-winbind-64bit.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch5: apparmor-utils-string-split
@ -75,7 +78,7 @@ Patch11: apparmor-2.5.1-rpmlint-asprintf
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
Patch12: apparmor-2.5.1-edirectory-profile
# split ldap related things from abstractions/nameservice to abstractions/ldapclient and add sasl support. TODO: send upstream
# split ldap related things from abstractions/nameservice to abstractions/ldapclient and add sasl support. Commited upstream after 2.7rc1.
Patch13: apparmor-2.5.1-ldapclient-profile
# obsolete, upstream implemented this in another way
@ -413,6 +416,7 @@ SubDomain.
%patch1 -p1
%patch2 -p0
%patch3 -p0
%patch4 -p0
%patch5 -p1
#%patch10 -p1 # disabled, see above
#%patch11 -p1 # disabled, see above