pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 297856 from security:apparmor

Browse Source 
- make sure %service_del_postun doesn't call systemctl try-restart
  (boo#853019, bare systemd edition)
- add samba-4.2-profiles.diff: update samba (winbindd and nmb)
  profiles for samba 4.2 (boo#921098, boo#923201)

- only install apparmor.service for openSUSE > 13.2

- Add a native systemd unit which *at the moment* only
  wraps/masks the early boot script.

OBS-URL: https://build.opensuse.org/request/show/297856
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=84
This commit is contained in:
Dominique Leuenberger 2015-04-21 23:13:52 +00:00 committed by Git OBS Bridge
commit 64b98d8b18
4 changed files with 112 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apparmor.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Fri Apr 17 18:46:08 UTC 2015 - opensuse@cboltz.de
- make sure %service_del_postun doesn't call systemctl try-restart
(boo#853019, bare systemd edition)
- add samba-4.2-profiles.diff: update samba (winbindd and nmb)
profiles for samba 4.2 (boo#921098, boo#923201)
-------------------------------------------------------------------
Sun Apr 12 21:13:23 UTC 2015 - opensuse@cboltz.de
- only install apparmor.service for openSUSE > 13.2
-------------------------------------------------------------------
Wed Apr 1 03:47:44 UTC 2015 - crrodriguez@opensuse.org
- Add a native systemd unit which *at the moment* only
wraps/masks the early boot script.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 24 13:19:10 UTC 2015 - rguenther@suse.com Tue Feb 24 13:19:10 UTC 2015 - rguenther@suse.com

16
apparmor.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
ConditionSecurity=apparmor
[Service]
Type=oneshot
ExecStart=/etc/init.d/boot.apparmor start
ExecReload=/etc/init.d/boot.apparmor reload
ExecStop=/etc/init.d/boot.apparmor stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

41
apparmor.spec
View File

@ -1,8 +1,8 @@
# #
# spec file for package apparmor # spec file for package apparmor
# #
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2014 Christian Boltz # Copyright (c) 2011-2015 Christian Boltz
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -72,7 +72,7 @@ Source2: %{name}.keyring
Source5: update-trans.sh Source5: update-trans.sh
Source6: baselibs.conf Source6: baselibs.conf
Source7: apparmor-rpmlintrc Source7: apparmor-rpmlintrc
Source8: apparmor.service
# enable caching of profiles (= massive performance speedup when loading profiles) # enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff Patch1: apparmor-enable-profile-cache.diff
@ -83,6 +83,8 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
Patch3: apparmor-utils-string-split Patch3: apparmor-utils-string-split
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
# as discussed with Jeff on #apparmor 2015-03-16, disable when packaging the next major release
# (Is this really needed in abstractions/nameservice or only in the nscd profile? bnc#621394 only shows nscd.)
Patch4: apparmor-2.5.1-edirectory-profile Patch4: apparmor-2.5.1-edirectory-profile
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
@ -101,6 +103,9 @@ Patch8: apparmor-changes-since-2.9.1.diff
# fix build with GCC 5 due to bad ostream use # fix build with GCC 5 due to bad ostream use
Patch9: apparmor-fix-stl-ostream.diff Patch9: apparmor-fix-stl-ostream.diff
# update samba (winbindd and nmb) profiles for samba 4.2 (boo#921098, boo#923201)
Patch10: samba-4.2-profiles.diff
Url: https://launchpad.net/apparmor Url: https://launchpad.net/apparmor
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -151,6 +156,11 @@ BuildRequires: java-devel >= 1.6.0
BuildRequires: tomcat6 BuildRequires: tomcat6
%endif %endif
%if 0%{?suse_version} > 1320
BuildRequires: systemd-rpm-macros
%{?systemd_requires}
%endif
%package parser %package parser
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
License: GPL-2.0+ License: GPL-2.0+
@ -443,6 +453,7 @@ SubDomain.
%patch7 -p1 %patch7 -p1
%patch8 %patch8
%patch9 %patch9
%patch10
# search for left-over multiline rules # search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
@ -595,6 +606,10 @@ done
# remove *.la files # remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la rm -fv %{buildroot}%{_libdir}/libapparmor.la
%if 0%{?suse_version} > 1320
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
%endif
echo ------------------------------------------------------------------- echo -------------------------------------------------------------------
#find -ls #find -ls
echo ------------------------------------------------------------------- echo -------------------------------------------------------------------
@ -626,6 +641,9 @@ echo -------------------------------------------------------------------
%else %else
%{_sysconfdir}/init.d/apparmor %{_sysconfdir}/init.d/apparmor
%endif %endif
%if 0%{?suse_version} > 1320
%{_unitdir}/apparmor.service
%endif
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor %{_localstatedir}/lib/apparmor
@ -636,12 +654,13 @@ echo -------------------------------------------------------------------
%doc %{_mandir}/man5/subdomain.conf.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz %doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz %doc %{_mandir}/man8/apparmor_parser.8.gz
%if %{distro} == "redhat" || %{distro} == "rhel4"
%pre parser %pre parser
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
chkconfig --del subdomain chkconfig --del subdomain
fi fi
%if 0%{?suse_version} > 1320
%service_add_pre apparmor.service
%endif %endif
%files parser-lang -f apparmor-parser.lang %files parser-lang -f apparmor-parser.lang
@ -827,6 +846,10 @@ fi
fi fi
%endif %endif
%if 0%{?suse_version} > 1320
%service_add_post apparmor.service
%endif
%preun parser %preun parser
if [ "$1" = 0 ] ; then if [ "$1" = 0 ] ; then
%if %{distro} == "suse" %if %{distro} == "suse"
@ -837,6 +860,10 @@ if [ "$1" = 0 ] ; then
%endif %endif
fi fi
%if 0%{?suse_version} > 1320
%service_del_preun apparmor.service
%endif
%postun parser %postun parser
%if %{distro} == "suse" %if %{distro} == "suse"
#restart_on_update boot.apparmor - but non-broken (bnc#853019) #restart_on_update boot.apparmor - but non-broken (bnc#853019)
@ -851,6 +878,12 @@ fi
%{insserv_cleanup} || true %{insserv_cleanup} || true
%endif %endif
%if 0%{?suse_version} > 1320
# don't call try-restart, see bnc#853019
export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service
%endif
%post abstractions %post abstractions
%if %{distro} == "suse" %if %{distro} == "suse"
#restart_on_update boot.apparmor - but non-broken (bnc#853019) #restart_on_update boot.apparmor - but non-broken (bnc#853019)

40
samba-4.2-profiles.diff Normal file
View File

@ -0,0 +1,40 @@
Index: profiles/apparmor.d/abstractions/samba
===================================================================
--- profiles/apparmor.d/abstractions/samba.orig 2014-07-04 12:09:58.000000000 +0200
+++ profiles/apparmor.d/abstractions/samba 2015-04-17 21:24:22.463107165 +0200
@@ -13,7 +13,7 @@
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
- /var/lib/samba/**.tdb rwk,
+ /var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/log.* w,
Index: profiles/apparmor.d/usr.sbin.winbindd
===================================================================
--- profiles/apparmor.d/usr.sbin.winbindd.orig 2014-04-21 22:10:51.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.winbindd 2015-04-17 21:26:56.262142786 +0200
@@ -10,8 +10,12 @@
capability ipc_lock,
capability setuid,
+ /etc/samba/netlogon_creds_cli.tdb rwk,
/etc/samba/passdb.tdb{,.tmp} rwk,
/etc/samba/secrets.tdb rwk,
+ /etc/samba/smbd.tmp/ rw,
+ /etc/samba/smbd.tmp/msg/ rw,
+ /etc/samba/smbd.tmp/msg/* rw,
@{PROC}/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/tmp/krb5cc_* rwk,
@@ -21,9 +25,6 @@
/usr/sbin/winbindd mr,
/var/cache/krb5rcache/* rw,
/var/cache/samba/*.tdb rwk,
- /var/lib/samba/smb_krb5/krb5.conf.* rw,
- /var/lib/samba/smb_tmp_krb5.* rw,
- /var/lib/samba/winbindd_cache.tdb* rwk,
/var/log/samba/log.winbindd rw,
/{var/,}run/samba/winbindd.pid rwk,
/{var/,}run/samba/winbindd/ rw,