diff --git a/apparmor-2.5.1-ntpd-sys_nice b/apparmor-2.5.1-ntpd-sys_nice deleted file mode 100644 index e953a21..0000000 --- a/apparmor-2.5.1-ntpd-sys_nice +++ /dev/null @@ -1,24 +0,0 @@ -From: Jeff Mahoney -Subject: profile: ntpd -N needs sys_nice -References: bnc#657054 - - ntpd -N allows the administrator to increase or decrease priority of the - ntp server. Since the profile doesn't allow it, the operation is denied. - - This patch adds support for that operation. - -Signed-off-by: Jeff Mahoney ---- - profiles/apparmor.d/usr.sbin.ntpd | 1 + - 1 file changed, 1 insertion(+) - ---- a/profiles/apparmor.d/usr.sbin.ntpd -+++ b/profiles/apparmor.d/usr.sbin.ntpd -@@ -24,6 +24,7 @@ - capability sys_chroot, - capability sys_resource, - capability sys_time, -+ capability sys_nice, - - network inet dgram, - network inet stream, diff --git a/apparmor-2.5.1-ssl-fix b/apparmor-2.5.1-ssl-fix deleted file mode 100644 index 292dda2..0000000 --- a/apparmor-2.5.1-ssl-fix +++ /dev/null @@ -1,135 +0,0 @@ -From: Jeff Mahoney -Subject: profiles: Add openssl abstraction -References: bnc#623886 - - Profiles that use openssl have been adding the openssl files piecemeal. - - This patch creates a new openssl abstraction that can be inherited by - all profiles that use it. - - -Signed-off-by: Jeff Mahoney ---- - profiles/apparmor.d/abstractions/openssl | 4 ++++ - profiles/apparmor.d/abstractions/ssl_certs | 4 ++++ - profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +- - profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +- - profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +- - profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +- - profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +- - profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +- - 8 files changed, 14 insertions(+), 6 deletions(-) - ---- /dev/null -+++ b/profiles/apparmor.d/abstractions/openssl -@@ -0,0 +1,4 @@ -+ -+ /etc/ssl/openssl.cnf r, -+ /usr/share/ssl/openssl.cnf r, -+ ---- a/profiles/apparmor.d/abstractions/ssl_certs -+++ b/profiles/apparmor.d/abstractions/ssl_certs -@@ -14,3 +14,7 @@ - /etc/ssl/certs/* r, - /usr/share/ca-certificates/ r, - /usr/share/ca-certificates/** r, -+ /usr/share/ssl/certs/ca-bundle.crt r, -+ -+ /usr/share/ca-certificates/mozilla/ r, -+ /usr/share/ca-certificates/mozilla/* r, ---- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp -+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp -@@ -15,6 +15,7 @@ - #include - #include - #include -+ #include - - capability dac_override, - capability dac_read_search, -@@ -38,7 +39,6 @@ - /etc/postfix/{ssl/,}*.pem r, - /etc/postfix/prng_exch rw, - /usr/share/ssl/certs/ca-bundle.crt r, -- /usr/share/ssl/openssl.cnf r, - /etc/postfix/virtual.db r, - /etc/postfix/sasl_passwd.db r, - /etc/mtab r, ---- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd -+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd -@@ -15,6 +15,7 @@ - #include - #include - #include -+ #include - - capability dac_override, - capability dac_read_search, -@@ -43,7 +44,6 @@ - /usr/lib/sasl2/* mr, - - /usr/share/ssl/certs/ca-bundle.crt r, -- /usr/share/ssl/openssl.cnf r, - - /{var/spool/postfix/,}pid/inet.* rw, - /{var/spool/postfix/,}private/anvil w, ---- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork -+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork -@@ -17,6 +17,7 @@ - #include - #include - #include -+ #include - - capability kill, - capability net_bind_service, -@@ -83,7 +84,6 @@ - /usr/share/snmp/mibs r, - /usr/share/snmp/mibs/*.{txt,mib} r, - /usr/share/snmp/mibs/.index wr, -- /usr/share/ssl/openssl.cnf r, - /var/lock/httpd2.lock.* wl, - /var/log/apache2/* rwl, - /var/log/httpd/ssl_scache.dir r, ---- a/profiles/apparmor/profiles/extras/usr.sbin.imapd -+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd -@@ -15,10 +15,10 @@ - #include - #include - #include -+ #include - - /dev/urandom r, - /tmp/* rwl, - /usr/sbin/imapd r, - /usr/share/ssl/certs/imapd.pem r, -- /usr/share/ssl/openssl.cnf r, - } ---- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d -+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d -@@ -15,10 +15,10 @@ - #include - #include - #include -+ #include - - /dev/urandom r , - /tmp/.* rwl , - /usr/sbin/ipop2d rmix, - /usr/share/ssl/certs/ipop2d.pem r , -- /usr/share/ssl/openssl.cnf r , - } ---- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d -+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d -@@ -15,10 +15,10 @@ - #include - #include - #include -+ #include - - /dev/urandom r , - /tmp/.* rwl , - /usr/sbin/ipop3d rmix, - /usr/share/ssl/certs/ipop3d.pem r , -- /usr/share/ssl/openssl.cnf r , - } diff --git a/apparmor-2.6.0-dhcpd b/apparmor-2.6.0-dhcpd deleted file mode 100644 index 544283d..0000000 --- a/apparmor-2.6.0-dhcpd +++ /dev/null @@ -1,34 +0,0 @@ -From: Jeff Mahoney -Subject: dhcpd: Fix apparmor profile -References: bnc#692428 - - This patch adds the network rules needed, corrects the path to dhcpd.leases, - and adds the path for TSIG DNS keys. - -Reported-by: Andrew Beames -Signed-off-by: Jeff Mahoney ---- - profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd -+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd -@@ -21,12 +21,17 @@ - capability setuid, - capability sys_chroot, - -+ network inet raw, -+ network packet raw, -+ - /db/dhcpd.leases* lrw, - /etc/dhcpd.conf r, - /etc/hosts.allow r, - /etc/hosts.deny r, - /usr/sbin/dhcpd rmix, -- /var/lib/dhcp/dhcpd.leases* rwl, -+ /var/lib/dhcp/db/dhcpd.leases* rwl, - /var/lib/dhcp/etc/dhcpd.conf r, - /var/run/dhcpd.pid wl, -+ /etc/named.d/* r, -+ @{PROC}/net/dev r, - } diff --git a/apparmor-2.6.1.tar.bz2 b/apparmor-2.6.1.tar.bz2 deleted file mode 100644 index 6eeb562..0000000 --- a/apparmor-2.6.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915 -size 1242129 diff --git a/apparmor-2.7.beta1.tar.gz b/apparmor-2.7.beta1.tar.gz new file mode 100644 index 0000000..d0f5ba9 --- /dev/null +++ b/apparmor-2.7.beta1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c2b2db7edae97dd4f5c24071a4ac8f006d2ade745161754efa4c2e58639c8d5 +size 1410143 diff --git a/apparmor-compat-routines b/apparmor-compat-routines deleted file mode 100644 index 24a2578..0000000 --- a/apparmor-compat-routines +++ /dev/null @@ -1,23 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor-utils: Add check_for_apparmor helper. - - This should be an alias but those get complicated quickly in perl. - -Signed-off-by: Jeff Mahoney ---- - utils/Immunix/AppArmor.pm | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -463,6 +463,10 @@ sub check_for_subdomain () { - return $sd_mountpoint; - } - -+sub check_for_apparmor () { -+ return check_for_subdomain(); -+} -+ - sub which ($) { - my $file = shift; - diff --git a/apparmor-profiles-cupsd-fix b/apparmor-profiles-cupsd-fix deleted file mode 100644 index 4ae9c06..0000000 --- a/apparmor-profiles-cupsd-fix +++ /dev/null @@ -1,59 +0,0 @@ ---- - profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - ---- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd -+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd -@@ -16,20 +16,31 @@ - capability setuid, - - /bin/bash ixr, -+ /bin/cat ix, -+ -+ /usr/bin/foomatic-rip ixr, -+ /etc/foomatic/** r, -+ -+ /usr/bin/gs ix, -+ /usr/lib/ghostscript/** m, -+ /usr/lib64/ghostscript/** m, -+ /usr/share/ghostscript/** r, -+ /etc/ghostscript/** r, -+ - /dev/lp0 rw, - /dev/tty rw, - /dev/ttyS? w, - /etc/cups rw, - /etc/cups/ r, -- /etc/cups/* r, -+ /etc/cups/** r, - /etc/cups/certs w, - /etc/cups/certs/* w, -- /etc/cups/classes.conf rw, -- /etc/cups/cupsd.conf rw, -+ /etc/cups/*.conf* rw, - /etc/cups/ppd rw, -+ /etc/printcap rw, - /etc/cups/printcap rw, -- /etc/cups/printers.conf rw, - /etc/cups/ssl rw, -+ /etc/cups/yes/* rw, - /etc/hosts.allow r, - /etc/hosts.deny r, - /proc/meminfo r, -@@ -39,11 +50,15 @@ - /usr/bin/smbspool ixr, - /usr/lib/cups/backend/* ixr, - /usr/lib/cups/filter/* ixr, -- /usr/sbin/cupsd mr, -+ /usr/sbin/cupsd mixr, - /usr/share/cups/** r, - /var/log/cups/access_log rw, - /var/log/cups/error_log rw, - /var/spool/cups rw, -+ /var/spool/cups/** rw, - /var/spool/cups/tmp w, - /var/spool/cups/tmp/ r, -+ /var/run/cups/** rw, -+ /var/cache/cups/ rw, -+ /var/cache/cups/** rw, - } diff --git a/apparmor-profiles-dhclient b/apparmor-profiles-dhclient deleted file mode 100644 index 66eba9b..0000000 --- a/apparmor-profiles-dhclient +++ /dev/null @@ -1,121 +0,0 @@ -From: Jeff Mahoney -Subject: profiles: update dhclient -References: bnc#561152 - -Signed-off-by: Jeff Mahoney ---- - - profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------ - profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++ - 2 files changed, 61 insertions(+), 21 deletions(-) - ---- a/profiles/apparmor/profiles/extras/sbin.dhclient -+++ b/profiles/apparmor/profiles/extras/sbin.dhclient -@@ -11,12 +11,12 @@ - # raw sockets, and thus cannot be confined with NetDomain - # - # Should these programs have their own domains? --# /bin/ps mixr, --# /sbin/arp rmix, --# /usr/bin/dig rmix, --# /usr/bin/uptime rmix, --# /usr/bin/vmstat rmix, --# /usr/bin/w rmix, -+# /bin/ps mrix, -+# /sbin/arp mrix, -+# /usr/bin/dig mrix, -+# /usr/bin/uptime mrix, -+# /usr/bin/vmstat mrix, -+# /usr/bin/w mrix, - - #include - -@@ -24,25 +24,30 @@ - #include - #include - #include -- /sbin/dhclient rmix, -- /sbin/dhclient-script rmix, -- /bin/bash rmix, -- /bin/df rmix, -+ -+ network packet packet, -+ network packet raw, -+ -+ /sbin/dhclient mrix, -+ -+ /sbin/dhclient-script mrix, -+ /bin/bash mrix, -+ /bin/df mrix, - /bin/netstat Px, -- /bin/ps mixr, -+ /bin/ps mrix, - /dev/random r, - /etc/dhclient.conf r, -- @{PROC}/ r, -- @{PROC}/interrupts r, -- @{PROC}/net/dev r, -- @{PROC}/rtc r, -+ @{PROC}/ r, -+ @{PROC}/interrupts r, -+ @{PROC}/*/net/dev r, -+ @{PROC}/rtc r, - # following rule shouldn't work, self is a symlink -- @{PROC}/self/status r, -- /sbin/arp rmix, -- /usr/bin/dig rmix, -- /usr/bin/uptime rmix, -- /usr/bin/vmstat rmix, -- /usr/bin/w rmix, -+ @{PROC}/self/status r, -+ /sbin/arp mrix, -+ /usr/bin/dig mrix, -+ /usr/bin/uptime mrix, -+ /usr/bin/vmstat mrix, -+ /usr/bin/w mrix, - /var/lib/dhcp/dhclient.leases rw, - /var/lib/dhcp/dhclient-*.leases rw, - /var/log/lastlog r, -@@ -52,4 +57,18 @@ - /var/run/dhclient-*.pid rw, - /var/spool r, - /var/spool/mail r, -+ -+ # This one will need to be fleshed out depending on what the user is doing -+ /sbin/dhclient-script mrpx, -+ -+ /bin/grep mrix, -+ /bin/sleep mrix, -+ /etc/sysconfig/network/dhcp r, -+ /etc/sysconfig/network/scripts/functions.common r, -+ /etc/sysconfig/network/scripts/functions r, -+ /sbin/ip mrix, -+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix, -+ /var/lib/dhcp/* rw, -+ /var/run/nm-dhclient-*.conf r, -+ - } ---- /dev/null -+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script -@@ -0,0 +1,21 @@ -+# Last Modified: Tue Jan 25 16:48:30 2011 -+#include -+ -+# dhclient-script will call plugins from /etc/netconfig.d, so this -+# will need to be extended on a per-site basis. -+ -+/sbin/dhclient-script { -+ #include -+ #include -+ #include -+ -+ /bin/bash rix, -+ /bin/grep rix, -+ /bin/sleep rix, -+ /bin/touch rix, -+ /dev/.sysconfig/network/** r, -+ /etc/netconfig.d/* mrix, -+ /etc/sysconfig/network/** r, -+ /sbin/dhclient-script r, -+ /sbin/ip rix, -+} diff --git a/apparmor-profiles-sshd-fix b/apparmor-profiles-sshd-fix deleted file mode 100644 index e1b3dfd..0000000 --- a/apparmor-profiles-sshd-fix +++ /dev/null @@ -1,38 +0,0 @@ -From: Jeff Mahoney -Subject: Fix for sshd profile -References: bnc#457072 - - Without this patch, sshd won't work in enforce mode. - - libselinux accesses /proc/filesystems to determine if it's enabled - bash won't execute - audit_control is probably from libselinux too ---- - profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/profiles/apparmor/profiles/extras/usr.sbin.sshd -+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd -@@ -29,6 +29,8 @@ - capability kill, - capability setgid, - capability setuid, -+ capability audit_control, -+ capability sys_ptrace, - - /dev/ptmx rw, - /dev/urandom r, -@@ -43,11 +45,12 @@ - - @{PROC}/[0-9]*/fd/ r, - @{PROC}/[0-9]*/loginuid w, -+ @{PROC}/filesystems r, - - # should only be here for use in non-change-hat openssh - # duplicated from EXEC hat - /bin/ash Ux, -- /bin/bash Ux, -+ /bin/bash rUx, - /bin/bash2 Ux, - /bin/bsh Ux, - /bin/csh Ux, diff --git a/apparmor-profiles-syslog-ng-fix b/apparmor-profiles-syslog-ng-fix deleted file mode 100644 index 3f4633e..0000000 --- a/apparmor-profiles-syslog-ng-fix +++ /dev/null @@ -1,37 +0,0 @@ ---- - profiles/apparmor.d/sbin.syslog-ng | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/profiles/apparmor.d/sbin.syslog-ng -+++ b/profiles/apparmor.d/sbin.syslog-ng -@@ -19,12 +19,14 @@ - #include - #include - #include -+ #include - - capability chown, - capability dac_override, - capability fsetid, - capability fowner, - capability sys_tty_config, -+ capability sys_resource, - - /dev/log w, - /dev/syslog w, -@@ -35,11 +37,14 @@ - /etc/hosts.deny r, - /etc/hosts.allow r, - /sbin/syslog-ng mr, -+ /usr/share/syslog-ng/** r, - # chrooted applications - @{CHROOT_BASE}/var/lib/*/dev/log w, -- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw, -+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, - @{CHROOT_BASE}/var/log/** w, - @{CHROOT_BASE}/var/run/syslog-ng.pid krw, -+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw, -+ /var/run/syslog-ng/additional-log-sockets.conf r, - - # Site-specific additions and overrides. See local/README for details. - #include diff --git a/apparmor-profiles-usr.sbin.dnsmasq b/apparmor-profiles-usr.sbin.dnsmasq deleted file mode 100644 index bfe39bf..0000000 --- a/apparmor-profiles-usr.sbin.dnsmasq +++ /dev/null @@ -1,33 +0,0 @@ -From: Jeff Mahoney -Subject: dnsmasq: Profile fixes -References: bnc#666090 bnc#678749 - -Signed-off-by: Jeff Mahoney ---- - profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/profiles/apparmor.d/usr.sbin.dnsmasq -+++ b/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -25,10 +25,12 @@ - /etc/dnsmasq.conf r, - /etc/dnsmasq.d/ r, - /etc/dnsmasq.d/* r, -+ /etc/ethers r, - - /usr/sbin/dnsmasq mr, - - /var/run/*dnsmasq*.pid w, -+ /var/run/dnsmasq-forwarders r, - /var/run/dnsmasq/ r, - /var/run/dnsmasq/* rw, - -@@ -37,6 +39,8 @@ - # libvirt pid files for dnsmasq - /var/run/libvirt/network/ r, - /var/run/libvirt/network/*.pid rw, -+ /var/lib/libvirt/dnsmasq/ r, -+ /var/lib/libvirt/dnsmasq/*.hostsfile r, - - # Site-specific additions and overrides. See local/README for details. - #include diff --git a/apparmor-scripts b/apparmor-scripts deleted file mode 100644 index 24804d3..0000000 --- a/apparmor-scripts +++ /dev/null @@ -1,91 +0,0 @@ ---- - - parser/rc.aaeventd.suse | 2 +- - parser/rc.apparmor.functions | 9 ++++----- - parser/rc.apparmor.suse | 23 ++++++++++++++++++++++- - 3 files changed, 27 insertions(+), 7 deletions(-) - ---- a/parser/rc.aaeventd.suse -+++ b/parser/rc.aaeventd.suse -@@ -27,7 +27,7 @@ - ### BEGIN INIT INFO - # Provides: aaeventd - # Required-Start: apparmor --# Required-Stop: -+# Required-Stop: $null - # Default-Start: 2 3 5 - # Default-Stop: - # Short-Description: AppArmor Notification and Reporting ---- a/parser/rc.apparmor.functions -+++ b/parser/rc.apparmor.functions -@@ -108,9 +108,7 @@ is_apparmor_present() { - # check for subdomainfs version of module - grep -qE "^($modules)[[:space:]]" /proc/modules - -- if [ $? -ne 0 ] ; then -- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)" -- fi -+ [ $? -ne 0 -a -d /sys/module/apparmor ] - - return $? - } -@@ -377,10 +375,11 @@ apparmor_start() { - configure_owlsm - - # if there is anything in the profiles file don't load -- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then -+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then - parse_profiles load - else -- aa_log_skipped_msg "AppArmor already loaded with profiles." -+ aa_log_skipped_msg ": already loaded with profiles." -+ return 0 - fi - aa_log_end_msg 0 - return 0 ---- a/parser/rc.apparmor.suse -+++ b/parser/rc.apparmor.suse -@@ -31,6 +31,7 @@ - # Required-Start: boot.cleanup - # Required-Stop: $null - # Should-Start: $local_fs -+# Should-Stop: $null - # Default-Start: B - # Default-Stop: - # Short-Description: AppArmor initialization -@@ -73,7 +74,19 @@ aa_log_warning_msg() { - } - - aa_log_failure_msg() { -- log_failure_msg $* -+ log_failure_msg '\n'$* -+} -+ -+aa_log_action_begin() { -+ echo -n -+} -+ -+aa_log_action_end() { -+ echo -n -+} -+ -+aa_log_daemon_msg() { -+ echo -en "$@ " - } - - aa_log_skipped_msg() { -@@ -81,6 +94,14 @@ aa_log_skipped_msg() { - echo -e "$rc_skipped" - } - -+aa_log_end_msg() { -+ v="-v" -+ if [ "$1" != '0' ]; then -+ rc="-v$1" -+ fi -+ rc_status $v -+} -+ - usage() { - echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}" - } diff --git a/apparmor-securityfs-systemd.patch b/apparmor-securityfs-systemd.patch deleted file mode 100644 index 3bce4a1..0000000 --- a/apparmor-securityfs-systemd.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Federic Crozat -Subkect: apparmor: Let systemd automount securityfs -References: bnc#704460 - - Do not mount securityfs when running under systemd, just access - the directory, systemd will automount it - ---- - parser/rc.apparmor.functions | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/parser/rc.apparmor.functions -+++ b/parser/rc.apparmor.functions -@@ -295,7 +295,7 @@ is_apparmor_loaded() { - } - - is_securityfs_mounted() { -- grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts -+ test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts - return $? - } - diff --git a/apparmor-startproc.patch b/apparmor-startproc.patch deleted file mode 100644 index 2295f5c..0000000 --- a/apparmor-startproc.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- - parser/rc.aaeventd.suse | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/parser/rc.aaeventd.suse -+++ b/parser/rc.aaeventd.suse -@@ -78,9 +78,9 @@ usage() { - - start_aa_event() { - if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then -- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE -+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE - elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then -- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE -+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE - fi - } - diff --git a/apparmor-utils-add-log-types b/apparmor-utils-add-log-types deleted file mode 100644 index f7e0c8a..0000000 --- a/apparmor-utils-add-log-types +++ /dev/null @@ -1,26 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor-utils: Add support for creds and path operations -References: bnc#564316 - - 2.6.29 introduced the path security_operations and credentials - - This patch adds support for those operations to the log parser. - -Signed-off-by: Jeff Mahoney ---- - utils/Immunix/AppArmor.pm | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) { - "" - ); - } -- } elsif ($e->{operation} =~ m/file_/) { -+ } elsif ($e->{operation} =~ m/file_/ or -+ # These are the path operations introduced in 2.6.29 -+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) { - add_to_tree( $e->{pid}, - $e->{parent}, - "path", diff --git a/apparmor-utils-filenames-in-slash b/apparmor-utils-filenames-in-slash deleted file mode 100644 index a6c74c1..0000000 --- a/apparmor-utils-filenames-in-slash +++ /dev/null @@ -1,36 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor-utils: Fix handling of files in / -References: bnc#397883 - - The separate handling of files and directories with realpath is broken. - - For files e.g. /foo, $dir ends up being empty since the / is eaten by - the regex. realpath resolves an empty argument as the current directory, - resulting in an incorrect path. - - There's no explanation of why the separate handling was used in the - first place. - -Signed-off-by: Jeff Mahoney ---- - utils/Immunix/AppArmor.pm | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -553,14 +553,7 @@ sub get_full_path ($) { - } - } - -- if (-f $path) { -- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/; -- $path = realpath($dir) . "/$file"; -- } else { -- $path = realpath($path); -- } -- -- return $path; -+ return realpath($path); - } - - sub findexecutable ($) { diff --git a/apparmor-utils-subdomain-compat b/apparmor-utils-subdomain-compat index 174b5fb..285798d 100644 --- a/apparmor-utils-subdomain-compat +++ b/apparmor-utils-subdomain-compat @@ -5,6 +5,13 @@ Subject: apparmor-utils: Add Immunix::SubDomain alias code. Acked-by: Jeff Mahoney + +Also patch utils/Makefile to actually install SubDomain.pm + +The SubDomain compat module is only needed by openSUSE, therefore this patch +will not be upstreamed. + +Signed-off-by: Christian Boltz --- utils/Immunix/SubDomain.pm | 5 +++++ @@ -18,3 +25,14 @@ Acked-by: Jeff Mahoney +use Immunix::AppArmor; +*Immunix::SubDomain:: = *Immunix::AppArmor::; +1; +--- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200 ++++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200 +@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut + aa-unconfined aa-notify aa-disable + TOOLS = ${PERLTOOLS} aa-decode aa-status + MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \ +- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ++ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm + + MANPAGES = ${TOOLS:=.8} logprof.conf.5 + diff --git a/apparmor.changes b/apparmor.changes index b3980b0..1a0f441 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Tue Sep 13 18:47:36 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 beta1, for details see + http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 +- removed lots of patches I pushed upstream +- disabled apparmor-2.5.1-unified-build (patch to use automake, + does not apply to 2.7 and probably won't be accepted upstream) +- disabled build of tomcat_apparmor (doesn't build, deprecated upstream) +- run spec-cleaner +- remove *.la files +- move usr.sbin.nscd profile back to apparmor-profiles package + +------------------------------------------------------------------- +Wed Sep 7 10:35:12 MDT 2011 - jfehlig@suse.com + +- Update patch apparmor-profiles-usr.sbin.dnsmasq to include + /var/lib/libvirt/dnsmasq/*.leases (bnc#694197). + ------------------------------------------------------------------- Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index ac94626..fc17777 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -15,9 +15,8 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild -%bcond_without tomcat +%bcond_with tomcat %bcond_without pam %bcond_without apache %bcond_with python @@ -44,60 +43,68 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Summary: AppArmor userlevel parser utility -Version: 2.6.1 +Version: 2.7.beta1 Release: 1 +Summary: AppArmor userlevel parser utility +%define versiondir 2.7.0~beta1 Group: Productivity/Networking/Security -Source0: apparmor-%{version}.tar.bz2 +Source0: apparmor-%{version}.tar.gz Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -Patch1: apparmor-scripts -Patch3: apparmor-utils-add-log-types -Patch4: apparmor-utils-filenames-in-slash +# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch5: apparmor-utils-string-split -Patch6: apparmor-profiles-cupsd-fix -Patch7: apparmor-profiles-sshd-fix -Patch8: apparmor-profiles-syslog-ng-fix -Patch9: apparmor-startproc.patch + +# use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream. Patch10: apparmor-2.5.1-unified-build +# requires Patch10 Patch11: apparmor-2.5.1-rpmlint-asprintf + +# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch12: apparmor-2.5.1-edirectory-profile +# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch13: apparmor-2.5.1-ldapclient-profile -Patch14: genprof-whitespace-in-profile-fix + +# obsolete, upstream implemented this in another way Patch15: apparmor-remove-repo -Patch16: apparmor-2.5.1-ntpd-sys_nice -Patch17: apparmor-2.5.1-ssl-fix -Patch18: apparmor-profiles-usr.sbin.dnsmasq -Patch19: klog-needs-CAP_SYSLOG -Patch20: apparmor-profiles-dhclient + +# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch21: apparmor-utils-subdomain-compat -Patch22: apparmor-securityfs-systemd.patch -Patch23: apparmor-2.6.0-dhcpd -Patch24: apparmor-compat-routines + License: GPLv2+ -BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://launchpad.net/apparmor PreReq: sed +BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{distro} == "suse" -PreReq: %{insserv_prereq} aaa_base +PreReq: %{insserv_prereq} +PreReq: aaa_base %endif -BuildRequires: gcc-c++ -BuildRequires: pkg-config -BuildRequires: pcre-devel %define apparmor_bin_prefix /lib/apparmor -BuildRequires: bison flex latex2html w3m +BuildRequires: bison +BuildRequires: flex +BuildRequires: gcc-c++ +BuildRequires: latex2html +BuildRequires: pcre-devel +BuildRequires: pkg-config BuildRequires: texlive-latex +BuildRequires: w3m + +# TODO: put also to Requires? +BuildRequires: perl(Locale::gettext) +BuildRequires: perl(RPC::XML) +BuildRequires: perl(Term::ReadKey) BuildRequires: swig %if %{with python} -BuildRequires: python-devel swig +BuildRequires: python-devel +BuildRequires: swig %endif %if %{with ruby} -BuildRequires: ruby-devel swig +BuildRequires: ruby-devel +BuildRequires: swig %endif %if %{with apache} @@ -105,11 +112,15 @@ BuildRequires: apache2-devel %endif %if %{with tomcat} -BuildRequires: ant java-devel >= 1.6.0 tomcat6 +BuildRequires: ant +BuildRequires: java-devel >= 1.6.0 +BuildRequires: tomcat6 %endif %if %{with editor} -BuildRequires: gcc-c++ update-desktop-files wxGTK-devel +BuildRequires: gcc-c++ +BuildRequires: update-desktop-files +BuildRequires: wxGTK-devel %endif %if %{with gnome} @@ -121,7 +132,10 @@ BuildRequires: pkgconfig(libpanelapplet-2.0) %endif %if %{with dbus} -BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config +BuildRequires: audit-devel +BuildRequires: libapparmor-devel +BuildRequires: pkg-config +BuildRequires: pkgconfig(dbus-1) %endif %package parser @@ -161,13 +175,6 @@ This package contains documentation for AppArmor. This package is part of a suite of tools that used to be named SubDomain. - - -Authors: --------- - lcambell@novell.com - Seth Arnold - %if %{with apache} %package -n apache2-mod_apparmor @@ -185,15 +192,12 @@ SubDomain. The documentation is in the apparmor-admin_en package. -Authors: --------- - sbeattie@suse.de %endif %package -n libapparmor1 +License: LGPLv2.1+ Summary: Utility library for AppArmor Group: Development/Libraries/C and C++ -License: LGPLv2.1+ %ifarch ppc64 Obsoletes: libapparmor-64bit < %{version} Provides: libapparmor-64bit = ${version} @@ -208,34 +212,26 @@ This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages. -Authors: --------- - Steve Beattie - Matt Barringer - %package -n libapparmor-devel License: LGPLv2.1+ -Requires: libapparmor1 = %{version}-%{release} -Group: Development/Libraries/C and C++ -Provides: libapparmor:/usr/include/sys/apparmor.h Summary: Development headers and libraries for libapparmor +Group: Development/Libraries/C and C++ +Requires: libapparmor1 = %{version} +Provides: libapparmor:/usr/include/sys/apparmor.h %description -n libapparmor-devel These libraries are needed for developing software that makes use of the AppArmor API. -Authors: --------- - Steve Beattie - Matt Barringer - %package -n perl-apparmor License: GPLv2 ; LGPLv2.1+ +Summary: Perl interface for libapparmor functions +Group: Development/Libraries/Perl Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} -Requires: perl(Term::ReadKey) perl(DBD::SQLite) perl(RPC::XML) -Group: Development/Libraries/Perl -Summary: Perl interface for libapparmor functions +Requires: perl(DBD::SQLite) +Requires: perl(RPC::XML) +Requires: perl(Term::ReadKey) Provides: perl-libapparmor Obsoletes: perl-libapparmor < 2.5 @@ -243,20 +239,15 @@ Obsoletes: perl-libapparmor < 2.5 This package provides the perl interface to AppArmor. It is used for perl applications interfacing with AppArmor, including the AppArmor utilities. -Authors: --------- - Steve Beattie - Matt Barringer - %if %{with python} %package -n python-apparmor License: GPLv2 ; LGPLv2.1+ -Requires: libapparmor1 = %{version} -BuildRequires: python -Requires: python = %{python_version} -Group: Development/Libraries/Python Summary: Python interface for libapparmor functions +Group: Development/Libraries/Python +BuildRequires: python +Requires: libapparmor1 = %{version} +Requires: python = %{python_version} Provides: python-libapparmor Obsoletes: python-libapparmor < 2.5 @@ -264,20 +255,16 @@ Obsoletes: python-libapparmor < 2.5 This package provides the python interface to AppArmor. It is used for python applications interfacing with AppArmor. -Authors: --------- - Steve Beattie - Matt Barringer %endif %if %{with ruby} %package -n ruby-apparmor License: GPLv2 ; LGPLv2.1+ +Summary: Ruby interface for libapparmor functions +Group: Development/Libraries/Ruby Requires: libapparmor1 = %{version} Requires: ruby = %{ruby_version} -Group: Development/Libraries/Ruby -Summary: Ruby interface for libapparmor functions Provides: ruby-libapparmor Obsoletes: ruby-libapparmor < 2.5 @@ -285,19 +272,15 @@ Obsoletes: ruby-libapparmor < 2.5 This package provides the ruby interface to AppArmor. It is used for ruby applications interfacing with AppArmor. -Authors: --------- - Steve Beattie - Matt Barringer %endif %package profiles License: GPLv2 ; LGPLv2.1+ Summary: AppArmor profiles that are loaded into the apparmor kernel module Group: Productivity/Security +Requires: apparmor-parser(CAP_SYSLOG) Obsoletes: subdomain-profiles < %{version} Provides: subdomain-profiles = %{version} -Requires: apparmor-parser(CAP_SYSLOG) BuildArch: noarch %description profiles @@ -309,18 +292,12 @@ vulnerabilities. This package is part of a suite of tools that used to be named SubDomain. -Authors: --------- - seth.arnold@suse.de - sbeattie@suse.de - jjohansen@suse.de - %package utils License: GPLv2 ; LGPLv2.1+ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles Group: Productivity/Security -Requires: perl = %{perl_version} Requires: libapparmor1 = %{version} +Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} BuildArch: noarch @@ -331,18 +308,14 @@ Besides it provides the aa-unconfined server information tool and the aa-eventd event reporting system. It is part of a suite of tools that used to be named SubDomain. -Authors: --------- - jmichael@suse.de - seth.arnold@suse.de - %if %{with tomcat} %package -n tomcat_apparmor License: GPLv2 ; LGPLv2.1+ Summary: Tomcat 6 plugin for AppArmor change_hat Group: System/Libraries -Requires: libapparmor1 = %{version} tomcat6 +Requires: libapparmor1 = %{version} +Requires: tomcat6 %description -n tomcat_apparmor tomcat_apparmor - is a plugin for Apache Tomcat version 6 that @@ -351,9 +324,6 @@ containers that are bound to discrete elements of processing within the Tomcat servlet container. The AppArmor containers, or "hats", can be created for individual URL processing or per servlet. -Authors: --------- - dreynolds@suse.de %endif %if %{with pam} @@ -363,8 +333,10 @@ License: GPLv2 ; LGPLv2.1+ Summary: PAM module for AppArmor change_hat Group: Productivity/Security BuildRequires: pam-devel -Requires: pam pam-config -PreReq: pam pam-config +PreReq: pam +PreReq: pam-config +Requires: pam +Requires: pam-config %description -n pam_apparmor The pam_apparmor module provides the means for any PAM applications @@ -372,11 +344,6 @@ that call pam_open_session() to automatically perform an AppArmor change_hat operation in order to switch to a user-specific security policy. -Authors: --------- - jmichael@suse.de - sbeattie@suse.de - %endif %if %{with dbus} @@ -390,10 +357,6 @@ Group: System/Monitoring An audit dispatcher for sending AppArmor events over the DBUS system bus. -Authors: --------- - Matt Barringer - %endif %if %{with editor} @@ -406,10 +369,6 @@ Group: Productivity/Editors/Other %description profile-editor A syntax highlighting editor for AppArmor profiles. -Authors: --------- - Matt Barringer - %endif %if %{with gnome} @@ -423,11 +382,6 @@ Group: System/GUI/GNOME This taskbar applet receives AppArmor events over DBUS, and notifies the user when AppArmor prevents an application from functioning. - -Authors: --------- - Matt Barringer - %endif %description @@ -444,79 +398,78 @@ SubDomain. %endif %prep -%setup -q -n %{name}-%{version} -%patch1 -p1 -%patch3 -p1 -%patch4 -p1 +%setup -q -n %{name}-%{versiondir} %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 +#%patch10 -p1 # disabled, see above +#%patch11 -p1 # disabled, see above %patch12 -p1 %patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 +#%patch15 -p1 # obsolete, see above %patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 %build export SUSE_ASNEEDED=0 -autoreconf -fiv +# re-define _libdir to /lib or /lib64 %define _libdir /%{_lib} -%configure --disable-static --with-pic \ ---with-perl \ + +# libapparmor: +( + cd ./libraries/libapparmor + sh ./autogen.sh + %configure --with-perl \ %if %{with python} ---with-python \ + --with-python \ %else ---without-python \ + --without-python \ %endif %if %{with ruby} ---with-ruby \ + --with-ruby \ %else ---without-ruby \ -%endif -%if %{with tomcat} ---with-tomcat \ -%else ---without-tomcat \ -%endif -%if %{with pam} ---with-pam \ -%else ---without-pam \ -%endif -%if %{with apache} ---with-apache \ -%else ---without-apache \ -%endif -%if %{with gnome} ---with-gnome \ -%else ---without-gnome \ -%endif -%if %{with dbus} ---with-dbus \ -%else ---without-dbus \ -%endif -%if %{with editor} ---with-profileeditor \ -%else ---without-profileeditor \ + --without-ruby \ %endif -%{__make} %{?jobs:-j%jobs} + make + #make check +) + +# Utilities: +make -C utils +# make -C utils check + +# parser: +make -C parser +# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough +make -C parser techdoc.txt +# make -C parser check + +# Apache mod_apparmor: +%if %{with apache} + make -C changehat/mod_apparmor +%endif + +# PAM AppArmor: +%if %{with pam} + make -C changehat/pam_apparmor +%endif + +# Profiles: +make -C profiles +# make -C profiles check + +##configure --disable-static --with-pic \ +#--with-perl \ +%if %{with tomcat} + make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} +%endif +%if %{with gnome} +#--with-gnome \ +%endif +%if %{with dbus} +#--with-dbus \ +%endif +%if %{with editor} +#--with-profileeditor \ +%endif %if %{with ruby} #rm libraries/libapparmor/swig/ruby/Makefile.ruby @@ -524,23 +477,37 @@ autoreconf -fiv %endif %install -%{make_install} - -find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \; -find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \; - +# libapparmor +%makeinstall -C libraries/libapparmor # create symlink for old change_hat(2) manpage -ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2 +( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) -mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d -install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor -install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd -ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd -ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor -ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain +# utilities +%makeinstall -C utils VENDOR_PERL=%{perl_vendorlib} +mkdir -p %{buildroot}/var/log/apparmor + +%makeinstall -C parser + +%if %{with apache} + %makeinstall -C changehat/mod_apparmor +%endif + +%if %{with pam} + %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security +%endif + +%makeinstall -C profiles + +%if %{with tomcat} + mkdir -p %{buildroot}/%{CATALINA_HOME} + %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} +%endif + +find %{buildroot} -name .packlist -exec rm -f {} \; +find %{buildroot} -name perllocal.pod -exec rm -f {} \; # Re-create the links to the old names -for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do +for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do d=$(dirname $file) f=$(basename $file) if [ "${f#aa-}" != "$f" ]; then @@ -548,9 +515,9 @@ for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do fi done -mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8} -mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8} -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8 +mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} +mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} +rm -f %{buildroot}%{_mandir}/man8/decode.8 %if %{with editor} %suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor @@ -564,11 +531,17 @@ for pkg in apparmor-utils apparmor-parser; do %find_lang $pkg done -# Clean up profiles that are provided by other packages now -rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd +# remove *.la files +rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la -%clean -rm -rf $RPM_BUILD_ROOT +echo ------------------------------------------------------------------- +find -ls +echo ------------------------------------------------------------------- +head -n1000 *.lang +echo ------------------------------------------------------------------- +echo ------------------------------------------------------------------- +find %{buildroot} -ls +echo ------------------------------------------------------------------- %files docs %defattr(-,root,root) @@ -612,10 +585,11 @@ fi %files -n libapparmor1 %defattr(-,root,root) -%{_libdir}/libapparmor.la -%{_libdir}/libimmunix.la %{_libdir}/libapparmor.so* %{_libdir}/libimmunix.so* +# not sure about the correct package for *.a files... +%{_libdir}/libapparmor.a +%{_libdir}/libimmunix.a %files -n libapparmor-devel %defattr(-,root,root) @@ -623,22 +597,22 @@ fi %{_libdir}/libimmunix.so %doc %{_mandir}/man2/aa_change_hat.2.gz %doc %{_mandir}/man2/change_hat.2.gz +%doc %{_mandir}/man2/aa_find_mountpoint.2.gz +%doc %{_mandir}/man2/aa_getcon.2.gz %dir %{_includedir}/aalogparse %{_includedir}/sys/apparmor.h %{_includedir}/aalogparse/* # hrm, still need to enumerate each directory in these paths in files :( -%define extras_dir %{_sysconfdir}/apparmor/profiles/extras/ -%define profiles_dir %{_sysconfdir}/apparmor.d/ +# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/ +# %define profiles_dir %{_sysconfdir}/apparmor.d/ %files profiles -%defattr(-,root,root) -%attr(644, root, root) %config(noreplace) %{profiles_dir}/* -%attr(644, root, root) %{extras_dir}/* -%dir %{_sysconfdir}/apparmor.d/ +%defattr(644,root,root,755) +%config(noreplace) %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor/ %dir %{_sysconfdir}/apparmor/profiles -%dir %{_sysconfdir}/apparmor/profiles/extras +%config %{_sysconfdir}/apparmor/profiles/extras/ %files utils %defattr(-,root,root) @@ -657,6 +631,7 @@ fi %doc %{_mandir}/man8/audit.8.gz %doc %{_mandir}/man8/autodep.8.gz %doc %{_mandir}/man8/complain.8.gz +%doc %{_mandir}/man8/disable.8.gz %doc %{_mandir}/man8/enforce.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz @@ -669,8 +644,7 @@ fi %files -n perl-apparmor %defattr(-,root,root) %{perl_vendorlib}/Immunix -%dir %{perl_vendorarch}/auto/LibAppArmor -%{perl_vendorarch}/auto/LibAppArmor/* +%{perl_vendorarch}/auto/LibAppArmor/ %{perl_vendorarch}/LibAppArmor.pm %if %{with python} @@ -693,7 +667,6 @@ fi %files -n pam_apparmor %defattr(444,root,root,755) %attr(555,root,root) %{_libdir}/security/pam_apparmor.so -%attr(555,root,root) %{_libdir}/security/pam_apparmor.la %endif %if %{with tomcat} @@ -729,9 +702,9 @@ fi %{_bindir}/profileeditor %{_docdir}/profileeditor/AppArmorProfileEditor.htb %if 0 -%{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb +%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb %endif -%dir %{_prefix}/share/doc/profileeditor +%dir %{_datadir}/doc/profileeditor %endif %if %{with gnome} diff --git a/genprof-whitespace-in-profile-fix b/genprof-whitespace-in-profile-fix deleted file mode 100644 index a3f65d5..0000000 --- a/genprof-whitespace-in-profile-fix +++ /dev/null @@ -1,39 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor-utils: setprofileflags() drops leading whitespace -References: bnc#480795 - - setprofileflags() drops leading whitespace for subprofiles. writeheader() - properly indents subprofiles 2 spaces per nesting level but when - genprof sets the profile to enforce mode at completion, the whitespace - is removed. - - This patch adds the whitespace globbing to the regexp and uses it to - prefix the sub-profile with the correct spacing. - - Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795 - -Signed-off-by: Jeff Mahoney ---- - utils/Immunix/AppArmor.pm | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) { - if (open(PROFILE, "$filename")) { - if (open(NEWPROFILE, ">$filename.new")) { - while () { -- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) { -- my ($binary, $flags) = ($1, $5); -+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) { -+ my ($space, $binary, $flags) = ($1, $2, $6); - - if ($newflags) { -- $_ = "$binary flags=($newflags) {\n"; -+ $_ = "$space$binary flags=($newflags) {\n"; - } else { -- $_ = "$binary {\n"; -+ $_ = "$space$binary {\n"; - } - } elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) { - my ($hat, $flags) = ($1, $2); diff --git a/klog-needs-CAP_SYSLOG b/klog-needs-CAP_SYSLOG deleted file mode 100644 index 233f008..0000000 --- a/klog-needs-CAP_SYSLOG +++ /dev/null @@ -1,35 +0,0 @@ ---- - parser/parser_misc.c | 4 ++++ - profiles/apparmor.d/sbin.klogd | 1 + - 2 files changed, 5 insertions(+) - ---- a/parser/parser_misc.c -+++ b/parser/parser_misc.c -@@ -129,6 +129,9 @@ static int get_table_token(const char *n - static struct keyword_table capability_table[] = { - /* capabilities */ - #include "cap_names.h" -+#ifndef CAP_SYSLOG -+ {"syslog", 34}, -+#endif - /* terminate */ - {NULL, 0} - }; -@@ -866,6 +869,7 @@ static const char *capnames[] = { - "audit_control", - "setfcap", - "mac_override" -+ "syslog", - }; - - const char *capability_to_name(unsigned int cap) ---- a/profiles/apparmor.d/sbin.klogd -+++ b/profiles/apparmor.d/sbin.klogd -@@ -15,6 +15,7 @@ - #include - - capability sys_admin, -+ capability syslog, - - network inet stream, -