From 7374ae94dd5e842b8d9044ac1ea93ed260eab0039e2a29396962fef75f8655d3 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Fri, 22 Apr 2016 22:33:49 +0000
Subject: [PATCH] - update to AppArmor 2.10.1 (2.10 branch r3326):   - fix
 incorrect output of child profile names (apparmor_parser -N) which     caused
 'rcapparmor reload' to remove child profiles and hats (lp#1551950)   - fix a
 crash in aa-logprof / logparser.py for change_hat log events     (lp#1523297)
 and log events that look like file events, but aren't     (lp#1540562,
 lp#1525119, lp#1466812)   - write unix rules when saving a profile
 (lp#1522938, boo#954104#c3)   - several fixes for variable handling in
 aa-logprof   - map c (create) log events to w instead of a   - add python to
 the "no Px rule" list in logprof.conf   - let aa-logprof check for duplicate
 profiles   - let aa-status work without the apparmor.fail python module
 (boo#971917,     lp#1480492)   - add permissions in several profiles
 (including boo#948584, boo#948753,     boo#954959, boo#954958, boo#971790,
 boo#964971, boo#921098, boo#923201 and     boo#921098#c15).   - and many more
 fixes, see the full changelog at    
 http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1 - drop upstream(ed)
 patches:   - fix-initscript-aa_log_end_msg.diff   -
 syslog-ng-profile-boo948584.diff   - upstream-profile-updates-r3205-3241.diff
 - refresh patches:   - apparmor-abstractions-no-multiline.diff   -
 apparmor-samba-include-permissions-for-shares.diff

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=147
---
 apparmor-2.10.1.tar.gz                        |   3 +
 apparmor-2.10.1.tar.gz.asc                    |  17 +
 apparmor-2.10.tar.gz                          |   3 -
 apparmor-2.10.tar.gz.asc                      |  17 -
 apparmor-abstractions-no-multiline.diff       |  10 +-
 ...-samba-include-permissions-for-shares.diff |   2 +-
 apparmor.changes                              |  29 ++
 apparmor.spec                                 |  18 +-
 fix-initscript-aa_log_end_msg.diff            |  47 ---
 syslog-ng-profile-boo948584.diff              |  34 --
 upstream-profile-updates-r3205-3241.diff      | 297 ------------------
 11 files changed, 60 insertions(+), 417 deletions(-)
 create mode 100644 apparmor-2.10.1.tar.gz
 create mode 100644 apparmor-2.10.1.tar.gz.asc
 delete mode 100644 apparmor-2.10.tar.gz
 delete mode 100644 apparmor-2.10.tar.gz.asc
 delete mode 100644 fix-initscript-aa_log_end_msg.diff
 delete mode 100644 syslog-ng-profile-boo948584.diff
 delete mode 100644 upstream-profile-updates-r3205-3241.diff

diff --git a/apparmor-2.10.1.tar.gz b/apparmor-2.10.1.tar.gz
new file mode 100644
index 0000000..cdb8c22
--- /dev/null
+++ b/apparmor-2.10.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:07a76f338304baadc4ad69d025fe000b1ab4779a251ae8f338afdc13ef1e0f24
+size 4494037
diff --git a/apparmor-2.10.1.tar.gz.asc b/apparmor-2.10.1.tar.gz.asc
new file mode 100644
index 0000000..893771f
--- /dev/null
+++ b/apparmor-2.10.1.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABCgAGBQJXF0iqAAoJEGaJ5k49NmS7uXAP/Rz605sXSgJ0ZwZQq/kyP4L6
+Z7nz7Bv5dgRiVP47C1c/Fv+uJkOxJ5nJKRog6KzaLHrjcRMlyAvWRq+F3MtrwE2j
+6OlhWL3NaPrUwe8Pchgzf89ogssvioD7+qUf/Rg6e7owL8SlWRFkRcOJFAoxqiF1
+B0itE7geuj6jxADxfo0OUOGW92tH5y31FZcYCCpebUfvalN9JzwYnF9Y6qH2Af3G
+gX4Xh8tyIIZGyTtQYexPnDle6DQFONsUzmRYaFIpZRYpKHz9HoM13KZTUY4TAZJL
+VmzxbHS5FzRIOegZVrpydpYkupvQ5CndywaIGDC/7iPQ1cNxdQoxGY4qI/+dB6LZ
+0ZfRS88TqE/+OglyfLHgxtxPw369PnvB+kWsND5Nqx77q7/UOQUZJZL0A3nKVcUG
+YlJnV/SIKGSUE4TjQ+xjPMlI8EJgv42rVSRhi3H6g7+02Q1S9VHuzU8byQsx3fw0
+PzAeBVBoB0i1MduwpZp1kO7L0Yfl+1zyrue8Bd5A5183lbriaSYRqB6MYSKUgf4f
+rSdEs8azwmqD2jZsIAAuTgZxCf5LKlkKz/u52fKKG9Pa30OC2bSdHz9LLjVKj+OL
+Lh8lO1hy3nnReLdsh4TKAQsTBsYTZuHXIbqfMxc0oykuRbwBHAjGO22t4wi6vdtp
+E7Wco+q0mMZzKGjQm6H/
+=M5Cf
+-----END PGP SIGNATURE-----
diff --git a/apparmor-2.10.tar.gz b/apparmor-2.10.tar.gz
deleted file mode 100644
index 8afa48c..0000000
--- a/apparmor-2.10.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4d0e224257a29671b694bd9054edf0dd213aa690fd02844ecf3329b86ac506f4
-size 2421759
diff --git a/apparmor-2.10.tar.gz.asc b/apparmor-2.10.tar.gz.asc
deleted file mode 100644
index 9a6e322..0000000
--- a/apparmor-2.10.tar.gz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIcBAABCgAGBQJVpZFnAAoJEGaJ5k49NmS7XD8P/jjvjD5MmrpLxbfBLeuMBc41
-z7Up38fcwVpzs7FcPHPQZKjoz0HUyWkINlHC2wg1VBBAy8uvsbGF2ndfGcH33WJG
-BvjXu1RSkkZ0ouc/611ro8V+7gIMK0qkmuFlDf0yYcu7xkUzGsCKPOe9hcuyIkhW
-xoK9WUxTDlaOzCEfjIOc9R/A5yLCKIbsbCy+lw7nCk3iZaesroMQBvHPx2+TSFtQ
-0Dl+llWp3yEFwugzXaAl8/BXdBBwvSdgNyMcXU+4Cvr+WqrrcQZdL1aN/WkkH3nN
-yeVc72kLjsYyLjRjl9bSty61W+PBcxG4uopakl7LMpHL5EGPB0uITUae7Y0BJBxq
-kyKs0ufl/qNw+FyqQIchOpaHuyfw/TjxwOFiAQQ1+jrG4cljiAzcoNzjQscs1qxK
-Z/uxCD8W+AneqQH1BV7ruYG2pTQISUIHRFm/O9JhyhSl/xBZlNgGca06VckHose+
-xRuGqYUo70VjIzNdht9x+kuFJpGpoRyL9+tgr0cl6Z2OU/H69FF8CURMwn30iELR
-J29VflgyfaBW9S41dYB7oF5/AfEKZKvVk/2Cqi6iLvdnDBIwBIi6Q7xLcI2vZPVK
-HpDNODeW9YSMNEJCpdkc8vyav/CUS7s1SOMR3T4sUoS8lq7DfsJOMcNB2RkfIzqL
-efE4Pn9Z0HNWhYL0hvZa
-=p6Nx
------END PGP SIGNATURE-----
diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff
index b5a2c8a..831924a 100644
--- a/apparmor-abstractions-no-multiline.diff
+++ b/apparmor-abstractions-no-multiline.diff
@@ -1,16 +1,20 @@
 === modified file 'profiles/apparmor.d/abstractions/X'
 Index: profiles/apparmor.d/abstractions/X
 ===================================================================
---- profiles/apparmor.d/abstractions/X.orig	2014-10-18 13:11:18.498652324 +0200
-+++ profiles/apparmor.d/abstractions/X	2014-10-18 13:11:31.097494817 +0200
-@@ -24,9 +24,7 @@
+--- profiles/apparmor.d/abstractions/X.orig	2016-04-22 22:35:12.416535187 +0200
++++ profiles/apparmor.d/abstractions/X	2016-04-22 22:35:46.556500929 +0200
+@@ -24,12 +24,8 @@
  
    # the unix socket to use to connect to the display
    /tmp/.X11-unix/*           w,
 -  unix (connect, receive, send)
 -       type=stream
 -       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+-  unix (connect, receive, send)
+-       type=stream
+-       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
 +  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
++  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
  
    /usr/include/X11/               r,
    /usr/include/X11/**             r,
diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff
index 5884905..ba34685 100644
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -46,6 +46,10 @@
+@@ -47,6 +47,10 @@
  
    @{HOMEDIRS}/** lrwk,
  
diff --git a/apparmor.changes b/apparmor.changes
index 4d779bf..39f4cea 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Fri Apr 22 20:49:24 UTC 2016 - suse-beta@cboltz.de
+
+- update to AppArmor 2.10.1 (2.10 branch r3326):
+  - fix incorrect output of child profile names (apparmor_parser -N) which
+    caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950)
+  - fix a crash in aa-logprof / logparser.py for change_hat log events
+    (lp#1523297) and log events that look like file events, but aren't
+    (lp#1540562, lp#1525119, lp#1466812)
+  - write unix rules when saving a profile (lp#1522938, boo#954104#c3)
+  - several fixes for variable handling in aa-logprof
+  - map c (create) log events to w instead of a
+  - add python to the "no Px rule" list in logprof.conf
+  - let aa-logprof check for duplicate profiles
+  - let aa-status work without the apparmor.fail python module (boo#971917,
+    lp#1480492)
+  - add permissions in several profiles (including boo#948584, boo#948753,
+    boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and
+    boo#921098#c15).
+  - and many more fixes, see the full changelog at
+    http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1
+- drop upstream(ed) patches:
+  - fix-initscript-aa_log_end_msg.diff
+  - syslog-ng-profile-boo948584.diff
+  - upstream-profile-updates-r3205-3241.diff
+- refresh patches:
+  - apparmor-abstractions-no-multiline.diff
+  - apparmor-samba-include-permissions-for-shares.diff
+
 -------------------------------------------------------------------
 Wed Oct  7 16:12:24 UTC 2015 - opensuse@cboltz.de
 
diff --git a/apparmor.spec b/apparmor.spec
index 9ab4ef1..7df2b25 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -1,8 +1,8 @@
 #
 # spec file for package apparmor
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
-# Copyright (c) 2011-2015 Christian Boltz
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2011-2016 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -60,7 +60,7 @@ Name:           apparmor
 %if ! %{?distro:1}0
   %define distro suse
 %endif
-Version:        2.10
+Version:        2.10.1
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
@@ -92,15 +92,6 @@ Patch6:         apparmor-abstractions-no-multiline.diff
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch
 
-# boo#862170 - fix ugly initscript output (commited upstream trunk r3208)
-Patch8:         fix-initscript-aa_log_end_msg.diff
-
-# additional syslog-ng permissions (submitted upstream 2015-10-07) (boo#948584, boo#948753)
-Patch9:         syslog-ng-profile-boo948584.diff
-
-# several profile updates taken from upstream bzr trunk r3205..3241
-Patch10:        upstream-profile-updates-r3205-3241.diff
-
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -449,9 +440,6 @@ SubDomain.
 
 %patch6
 %patch7 -p1
-%patch8
-%patch9
-%patch10
 
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
diff --git a/fix-initscript-aa_log_end_msg.diff b/fix-initscript-aa_log_end_msg.diff
deleted file mode 100644
index 3b73ebe..0000000
--- a/fix-initscript-aa_log_end_msg.diff
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix aa_log_end_msg() in rc.apparmor.suse
-
-"rcapparmor kill" results in a funny error message:
-    /lib/apparmor/rc.apparmor.functions: line 441: return: -v: invalid option
-    return: usage: return [n]
-
-SLE12 includes a patch that prevents this error message, but also
-prevents that $? is handed over correctly to rc_status. This means that
-"rcapparmor kill" will happily display "done" even with a compiled-in
-apparmor module that can't be unloaded.
-
-This patch is the improved version - it adds a small helper function to
-set $? (as handed over to aa_log_end_msg()) and then calls rc_status -v.
-This means that "rcapparmor kill" now shows "failed" because it's
-impossible to unload something that is compiled directly into the
-kernel.
-
-References: https://bugzilla.opensuse.org/show_bug.cgi?id=862170 (non-public)
-
-
-Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9 and trunk
-
-
-Commited to trunk revision 3208.
-=== modified file 'parser/rc.apparmor.suse'
---- parser/rc.apparmor.suse	2011-09-15 18:20:23 +0000
-+++ parser/rc.apparmor.suse	2015-07-22 19:23:28 +0000
-@@ -94,12 +94,13 @@
- 	echo -e	"$rc_skipped"
- }
- 
-+_set_status() {
-+	return $1
-+}
-+
- aa_log_end_msg() {
--	v="-v"
--	if [ "$1" != '0' ]; then
--		rc="-v$1"
--	fi
--	rc_status $v
-+	_set_status $1
-+	rc_status -v
- }
- 
- usage() {
-
diff --git a/syslog-ng-profile-boo948584.diff b/syslog-ng-profile-boo948584.diff
deleted file mode 100644
index b0554c3..0000000
--- a/syslog-ng-profile-boo948584.diff
+++ /dev/null
@@ -1,34 +0,0 @@
-=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
---- profiles/apparmor.d/sbin.syslog-ng	2015-03-07 20:16:11 +0000
-+++ profiles/apparmor.d/sbin.syslog-ng	2015-10-07 10:33:01 +0000
-@@ -20,6 +20,7 @@
-   #include <abstractions/consoles>
-   #include <abstractions/nameservice>
-   #include <abstractions/mysql>
-+  #include <abstractions/openssl>
- 
-   capability chown,
-   capability dac_override,
-@@ -37,7 +38,10 @@
-   /dev/syslog w,
-   /dev/tty10 rw,
-   /dev/xconsole rw,
-+  /etc/machine-id r,
-   /etc/syslog-ng/* r,
-+  /etc/syslog-ng/conf.d/ r,
-+  /etc/syslog-ng/conf.d/* r,
-   @{PROC}/kmsg r,
-   /etc/hosts.deny r,
-   /etc/hosts.allow r,
-@@ -50,6 +54,10 @@
-   @{CHROOT_BASE}/var/log/** w,
-   @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
-   @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
-+  /var/log/journal/ r,
-+  /var/log/journal/*/ r,
-+  /var/log/journal/*/*.journal r,
-+  /{var/,}run/syslog-ng.ctl a,
-   /{var/,}run/syslog-ng/additional-log-sockets.conf r,
- 
-   # Site-specific additions and overrides. See local/README for details.
-
diff --git a/upstream-profile-updates-r3205-3241.diff b/upstream-profile-updates-r3205-3241.diff
deleted file mode 100644
index 3dc95c3..0000000
--- a/upstream-profile-updates-r3205-3241.diff
+++ /dev/null
@@ -1,297 +0,0 @@
-AppArmor bzr trunk
-bzr diff -r3205..3241 profiles/
-(+ abstractions/X change modified to single line syntax)
-
-------------------------------------------------------------
-revno: 3238
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Fri 2015-09-18 19:06:47 +0200
-message:
-  dnsmasq profile - also allow /bin/sh
-  
-  This patch is based on a SLE12 patch to allow executing the
-  --dhcp-script. We already have most parts of that patch since r2841,
-  however the SLE bugreport indicates that /bin/sh is executed (which is
-  usually a symlink to /bin/bash or /bin/dash), so we should also allow
-  /bin/sh
-  
-  References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
-  
-  
-  Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
-------------------------------------------------------------
-revno: 3237
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Tue 2015-09-15 14:24:57 +0200
-message:
-  Allow ntpd to read directory listings of $PATH
-  
-  For some reasons, it needs to do that to find readable, writeable and
-  executable files.
-  
-  See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592
-  
-  
-  Acked-by: Seth Arnold <seth.arnold@canonical.com>
-------------------------------------------------------------
-revno: 3236
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Wed 2015-09-09 00:00:23 +0200
-message:
-  Update the /sbin/dhclient profile
-  
-  Add some permissions that I need on my system:
-  - execute nm-dhcp-helper
-  - read and write /var/lib/dhcp6/dhclient.leases
-  - read /var/lib/NetworkManager/dhclient-*.conf
-  - read and write /var/lib/NetworkManager/dhclient-*.conf
-  
-  
-  Looks-good-by: Steve Beattie <steve@nxnw.org>
-  Acked-by: <timeout> for trunk and 2.9
-------------------------------------------------------------
-revno: 3234
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Thu 2015-09-03 18:27:00 +0200
-message:
-  Dovecot imap needs to read /run/dovecot/mounts
-  
-  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
-------------------------------------------------------------
-revno: 3225
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Sun 2015-08-23 15:20:20 +0200
-message:
-  add /usr/share/locale-bundle/ to abstractions/base
-  
-  /usr/share/locale-bundle/ contains translations packaged in
-  bundle-lang-* packages in openSUSE.
-  
-  
-  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
-------------------------------------------------------------
-revno: 3213
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Thu 2015-07-30 22:03:02 +0200
-message:
-  winbindd profile: allow k for /etc/samba/smbd.tmp/msg/*
-  
-  References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15
-  
-  
-  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
-------------------------------------------------------------
-revno: 3212
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Tue 2015-07-28 01:15:31 +0200
-message:
-  skype profile: allow reading @{PROC}/@{pid}/net/dev
-  
-  References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568
-  
-  
-  Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
-------------------------------------------------------------
-revno: 3211
-committer: Jamie Strandboge <jamie@ubuntu.com>
-branch nick: apparmor
-timestamp: Fri 2015-07-24 15:03:30 -0500
-message:
-  profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to
-  /run/systemd/notify which is needed on systems with systemd
-  
-  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
-  Acked-by: Seth Arnold <seth.arnold@canonical.com>
-------------------------------------------------------------
-revno: 3210
-committer: Jamie Strandboge <jamie@ubuntu.com>
-branch nick: apparmor
-timestamp: Fri 2015-07-24 15:01:46 -0500
-message:
-  profiles/apparmor.d/abstractions/X: also allow unix connections to
-  @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
-  
-  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
-  Acked-by: Seth Arnold <seth.arnold@canonical.com>
-------------------------------------------------------------
-revno: 3209
-committer: Jamie Strandboge <jamie@ubuntu.com>
-branch nick: apparmor
-timestamp: Fri 2015-07-24 13:56:27 -0500
-message:
-  profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash
-  
-  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
-  Acked-by: Christian Boltz <apparmor@cboltz.de>
-------------------------------------------------------------
-revno: 3207 [merge]
-committer: Jamie Strandboge <jamie@ubuntu.com>
-branch nick: apparmor
-timestamp: Mon 2015-07-20 10:16:18 -0500
-message:
-  [ intrigeri ]
-  dconf abstraction: allow reading /etc/dconf/**.
-  That's needed e.g. for Totem on current Debian Jessie.
-  
-  Acked-By: Jamie Strandboge <jamie@canonical.com>
-------------------------------------------------------------
-Use --include-merged or -n0 to see merged revisions.
-
-
-
-
-=== modified file 'profiles/apparmor.d/abstractions/X'
---- profiles/apparmor.d/abstractions/X	2015-03-25 21:58:31 +0000
-+++ profiles/apparmor.d/abstractions/X	2015-07-24 20:01:46 +0000
-@@ -27,4 +27,5 @@
-   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
-+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
- 
-   /usr/include/X11/               r,
-   /usr/include/X11/**             r,
-
-=== modified file 'profiles/apparmor.d/abstractions/base'
---- profiles/apparmor.d/abstractions/base	2015-01-21 19:30:46 +0000
-+++ profiles/apparmor.d/abstractions/base	2015-08-23 13:20:20 +0000
-@@ -26,6 +26,7 @@
-   /etc/locale/**                 r,
-   /etc/locale.alias              r,
-   /etc/localtime                 r,
-+  /usr/share/locale-bundle/**    r,
-   /usr/share/locale-langpack/**  r,
-   /usr/share/locale/**           r,
-   /usr/share/**/locale/**        r,
-
-=== modified file 'profiles/apparmor.d/abstractions/dconf'
---- profiles/apparmor.d/abstractions/dconf	2013-10-09 13:18:09 +0000
-+++ profiles/apparmor.d/abstractions/dconf	2015-07-19 13:42:54 +0000
-@@ -3,5 +3,6 @@
- # permissions for querying dconf settings; granting write access should
- # be specified in a specific application's profile.
- 
-+  /etc/dconf/** r,
-   owner /{,var/}run/user/*/dconf/user r,
-   owner @{HOME}/.config/dconf/user r,
-
-=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
---- profiles/apparmor.d/usr.lib.dovecot.imap	2014-12-22 16:41:59 +0000
-+++ profiles/apparmor.d/usr.lib.dovecot.imap	2015-09-03 16:27:00 +0000
-@@ -27,6 +27,7 @@
-   @{HOME} r, # ???
-   /usr/lib/dovecot/imap mr,
-   /{,var/}run/dovecot/auth-master rw,
-+  /{,var/}run/dovecot/mounts r,
- 
-   # Site-specific additions and overrides. See local/README for details.
-   #include <local/usr.lib.dovecot.imap>
-
-=== modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon'
---- profiles/apparmor.d/usr.sbin.avahi-daemon	2014-09-03 19:16:32 +0000
-+++ profiles/apparmor.d/usr.sbin.avahi-daemon	2015-07-24 20:03:30 +0000
-@@ -26,6 +26,7 @@
-   /{,var/}run/avahi-daemon/ w,
-   /{,var/}run/avahi-daemon/pid krw,
-   /{,var/}run/avahi-daemon/socket w,
-+  /{,var/}run/systemd/notify w,
- 
-   # Site-specific additions and overrides. See local/README for details.
-   #include <local/usr.sbin.avahi-daemon>
-
-=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
---- profiles/apparmor.d/usr.sbin.dnsmasq	2015-03-30 03:49:09 +0000
-+++ profiles/apparmor.d/usr.sbin.dnsmasq	2015-09-18 17:06:47 +0000
-@@ -45,7 +45,7 @@
- 
-   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
- 
--  /bin/bash ix, # Required to execute --dhcp-script argument
-+  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
- 
-   # access to iface mtu needed for Router Advertisement messages in IPv6
-   # Neighbor Discovery protocol (RFC 2461)
-
-=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
---- profiles/apparmor.d/usr.sbin.ntpd	2015-05-18 23:20:49 +0000
-+++ profiles/apparmor.d/usr.sbin.ntpd	2015-09-15 12:24:57 +0000
-@@ -37,6 +37,7 @@
-   /etc/ntpd.conf.tmp r,
- 
-   /tmp/ntp* rwl,
-+  /{usr/,usr/local/,}{s,}bin/ r,
-   /usr/sbin/ntpd rmix,
-   /var/lib/ntp/drift rwl,
-   /var/lib/ntp/drift.TEMP rwl,
-
-=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
---- profiles/apparmor.d/usr.sbin.winbindd	2015-05-18 23:25:26 +0000
-+++ profiles/apparmor.d/usr.sbin.winbindd	2015-07-30 20:03:02 +0000
-@@ -15,7 +15,7 @@
-   /etc/samba/secrets.tdb rwk,
-   /etc/samba/smbd.tmp/ rw,
-   /etc/samba/smbd.tmp/msg/ rw,
--  /etc/samba/smbd.tmp/msg/* rw,
-+  /etc/samba/smbd.tmp/msg/* rwk,
-   @{PROC}/sys/kernel/core_pattern r,
-   /tmp/.winbindd/ w,
-   /tmp/krb5cc_* rwk,
-
-=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
---- profiles/apparmor/profiles/extras/sbin.dhclient	2013-01-02 23:34:38 +0000
-+++ profiles/apparmor/profiles/extras/sbin.dhclient	2015-09-08 22:00:23 +0000
-@@ -1,6 +1,7 @@
- # ------------------------------------------------------------------
- #
- #    Copyright (C) 2002-2005 Novell/SUSE
-+#    Copyright (C) 2015 Christian Boltz
- #
- #    This program is free software; you can redistribute it and/or
- #    modify it under the terms of version 2 of the GNU General Public
-@@ -25,6 +26,8 @@
-   #include <abstractions/bash>
-   #include <abstractions/nameservice>
- 
-+  capability net_raw,
-+
-   network packet packet,
-   network packet raw,
- 
-@@ -47,13 +50,17 @@
-   /usr/bin/uptime             mrix,
-   /usr/bin/vmstat             mrix,
-   /usr/bin/w                  mrix,
-+  /usr/lib/nm-dhcp-helper     rix,
-   /var/lib/dhcp/dhclient.leases     rw,
-   /var/lib/dhcp/dhclient-*.leases   rw,
-+  /var/lib/dhcp6/dhclient.leases    rw,
-+  /var/lib/NetworkManager/dhclient-*.conf  r,
-+  /var/lib/NetworkManager/dhclient-*.lease rw,
-   /var/log/lastlog            r,
-   /var/log/messages           r,
-   /var/log/wtmp               r,
--  /{,var/}run/dhclient.pid       rw,
--  /{,var/}run/dhclient-*.pid     rw,
-+  /{,var/}run/dhclient.pid    rw,
-+  /{,var/}run/dhclient-*.pid  rw,
-   /var/spool                  r,
-   /var/spool/mail             r,
- 
-
-=== modified file 'profiles/apparmor/profiles/extras/usr.bin.skype'
---- profiles/apparmor/profiles/extras/usr.bin.skype	2013-01-02 23:34:38 +0000
-+++ profiles/apparmor/profiles/extras/usr.bin.skype	2015-07-27 23:15:31 +0000
-@@ -20,6 +20,7 @@
- 
-   @{PROC}/sys/kernel/{ostype,osrelease} r,
-   @{PROC}/@{pid}/net/arp r,
-+  @{PROC}/@{pid}/net/dev r,
-   owner @{PROC}/@{pid}/auxv r,
-   owner @{PROC}/@{pid}/cmdline r,
-   owner @{PROC}/@{pid}/fd/ r,
-