Accepting request 82045 from security:apparmor:factory
- update to AppArmor 2.7.0 beta1, for details see http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 - removed lots of patches I pushed upstream - disabled apparmor-2.5.1-unified-build (patch to use automake, does not apply to 2.7 and probably won't be accepted upstream) - disabled build of tomcat_apparmor (doesn't build, deprecated upstream) - run spec-cleaner - remove *.la files - move usr.sbin.nscd profile back to apparmor-profiles package - Update patch apparmor-profiles-usr.sbin.dnsmasq to include /var/lib/libvirt/dnsmasq/*.leases (bnc#694197). OBS-URL: https://build.opensuse.org/request/show/82045 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=22
This commit is contained in:
parent
2c3418e38e
commit
76467be0e2
@ -1,24 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: profile: ntpd -N needs sys_nice
|
|
||||||
References: bnc#657054
|
|
||||||
|
|
||||||
ntpd -N allows the administrator to increase or decrease priority of the
|
|
||||||
ntp server. Since the profile doesn't allow it, the operation is denied.
|
|
||||||
|
|
||||||
This patch adds support for that operation.
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
profiles/apparmor.d/usr.sbin.ntpd | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor.d/usr.sbin.ntpd
|
|
||||||
+++ b/profiles/apparmor.d/usr.sbin.ntpd
|
|
||||||
@@ -24,6 +24,7 @@
|
|
||||||
capability sys_chroot,
|
|
||||||
capability sys_resource,
|
|
||||||
capability sys_time,
|
|
||||||
+ capability sys_nice,
|
|
||||||
|
|
||||||
network inet dgram,
|
|
||||||
network inet stream,
|
|
@ -1,135 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: profiles: Add openssl abstraction
|
|
||||||
References: bnc#623886
|
|
||||||
|
|
||||||
Profiles that use openssl have been adding the openssl files piecemeal.
|
|
||||||
|
|
||||||
This patch creates a new openssl abstraction that can be inherited by
|
|
||||||
all profiles that use it.
|
|
||||||
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
profiles/apparmor.d/abstractions/openssl | 4 ++++
|
|
||||||
profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
|
|
||||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
|
|
||||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
|
|
||||||
8 files changed, 14 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/profiles/apparmor.d/abstractions/openssl
|
|
||||||
@@ -0,0 +1,4 @@
|
|
||||||
+
|
|
||||||
+ /etc/ssl/openssl.cnf r,
|
|
||||||
+ /usr/share/ssl/openssl.cnf r,
|
|
||||||
+
|
|
||||||
--- a/profiles/apparmor.d/abstractions/ssl_certs
|
|
||||||
+++ b/profiles/apparmor.d/abstractions/ssl_certs
|
|
||||||
@@ -14,3 +14,7 @@
|
|
||||||
/etc/ssl/certs/* r,
|
|
||||||
/usr/share/ca-certificates/ r,
|
|
||||||
/usr/share/ca-certificates/** r,
|
|
||||||
+ /usr/share/ssl/certs/ca-bundle.crt r,
|
|
||||||
+
|
|
||||||
+ /usr/share/ca-certificates/mozilla/ r,
|
|
||||||
+ /usr/share/ca-certificates/mozilla/* r,
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
|
||||||
@@ -15,6 +15,7 @@
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/kerberosclient>
|
|
||||||
#include <program-chunks/postfix-common>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
capability dac_override,
|
|
||||||
capability dac_read_search,
|
|
||||||
@@ -38,7 +39,6 @@
|
|
||||||
/etc/postfix/{ssl/,}*.pem r,
|
|
||||||
/etc/postfix/prng_exch rw,
|
|
||||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
|
||||||
- /usr/share/ssl/openssl.cnf r,
|
|
||||||
/etc/postfix/virtual.db r,
|
|
||||||
/etc/postfix/sasl_passwd.db r,
|
|
||||||
/etc/mtab r,
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
|
||||||
@@ -15,6 +15,7 @@
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/kerberosclient>
|
|
||||||
#include <program-chunks/postfix-common>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
capability dac_override,
|
|
||||||
capability dac_read_search,
|
|
||||||
@@ -43,7 +44,6 @@
|
|
||||||
/usr/lib/sasl2/* mr,
|
|
||||||
|
|
||||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
|
||||||
- /usr/share/ssl/openssl.cnf r,
|
|
||||||
|
|
||||||
/{var/spool/postfix/,}pid/inet.* rw,
|
|
||||||
/{var/spool/postfix/,}private/anvil w,
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
|
||||||
@@ -17,6 +17,7 @@
|
|
||||||
#include <abstractions/kerberosclient>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/perl>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
capability kill,
|
|
||||||
capability net_bind_service,
|
|
||||||
@@ -83,7 +84,6 @@
|
|
||||||
/usr/share/snmp/mibs r,
|
|
||||||
/usr/share/snmp/mibs/*.{txt,mib} r,
|
|
||||||
/usr/share/snmp/mibs/.index wr,
|
|
||||||
- /usr/share/ssl/openssl.cnf r,
|
|
||||||
/var/lock/httpd2.lock.* wl,
|
|
||||||
/var/log/apache2/* rwl,
|
|
||||||
/var/log/httpd/ssl_scache.dir r,
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
|
||||||
@@ -15,10 +15,10 @@
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/authentication>
|
|
||||||
#include <abstractions/user-mail>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
/dev/urandom r,
|
|
||||||
/tmp/* rwl,
|
|
||||||
/usr/sbin/imapd r,
|
|
||||||
/usr/share/ssl/certs/imapd.pem r,
|
|
||||||
- /usr/share/ssl/openssl.cnf r,
|
|
||||||
}
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
|
||||||
@@ -15,10 +15,10 @@
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/authentication>
|
|
||||||
#include <abstractions/user-mail>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
/dev/urandom r ,
|
|
||||||
/tmp/.* rwl ,
|
|
||||||
/usr/sbin/ipop2d rmix,
|
|
||||||
/usr/share/ssl/certs/ipop2d.pem r ,
|
|
||||||
- /usr/share/ssl/openssl.cnf r ,
|
|
||||||
}
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
|
||||||
@@ -15,10 +15,10 @@
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/authentication>
|
|
||||||
#include <abstractions/user-mail>
|
|
||||||
+ #include <abstractions/openssl>
|
|
||||||
|
|
||||||
/dev/urandom r ,
|
|
||||||
/tmp/.* rwl ,
|
|
||||||
/usr/sbin/ipop3d rmix,
|
|
||||||
/usr/share/ssl/certs/ipop3d.pem r ,
|
|
||||||
- /usr/share/ssl/openssl.cnf r ,
|
|
||||||
}
|
|
@ -1,34 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: dhcpd: Fix apparmor profile
|
|
||||||
References: bnc#692428
|
|
||||||
|
|
||||||
This patch adds the network rules needed, corrects the path to dhcpd.leases,
|
|
||||||
and adds the path for TSIG DNS keys.
|
|
||||||
|
|
||||||
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
|
||||||
@@ -21,12 +21,17 @@
|
|
||||||
capability setuid,
|
|
||||||
capability sys_chroot,
|
|
||||||
|
|
||||||
+ network inet raw,
|
|
||||||
+ network packet raw,
|
|
||||||
+
|
|
||||||
/db/dhcpd.leases* lrw,
|
|
||||||
/etc/dhcpd.conf r,
|
|
||||||
/etc/hosts.allow r,
|
|
||||||
/etc/hosts.deny r,
|
|
||||||
/usr/sbin/dhcpd rmix,
|
|
||||||
- /var/lib/dhcp/dhcpd.leases* rwl,
|
|
||||||
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
|
|
||||||
/var/lib/dhcp/etc/dhcpd.conf r,
|
|
||||||
/var/run/dhcpd.pid wl,
|
|
||||||
+ /etc/named.d/* r,
|
|
||||||
+ @{PROC}/net/dev r,
|
|
||||||
}
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915
|
|
||||||
size 1242129
|
|
3
apparmor-2.7.beta1.tar.gz
Normal file
3
apparmor-2.7.beta1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:3c2b2db7edae97dd4f5c24071a4ac8f006d2ade745161754efa4c2e58639c8d5
|
||||||
|
size 1410143
|
@ -1,23 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: apparmor-utils: Add check_for_apparmor helper.
|
|
||||||
|
|
||||||
This should be an alias but those get complicated quickly in perl.
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
utils/Immunix/AppArmor.pm | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
--- a/utils/Immunix/AppArmor.pm
|
|
||||||
+++ b/utils/Immunix/AppArmor.pm
|
|
||||||
@@ -463,6 +463,10 @@ sub check_for_subdomain () {
|
|
||||||
return $sd_mountpoint;
|
|
||||||
}
|
|
||||||
|
|
||||||
+sub check_for_apparmor () {
|
|
||||||
+ return check_for_subdomain();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
sub which ($) {
|
|
||||||
my $file = shift;
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
---
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
|
|
||||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
|
|
||||||
@@ -16,20 +16,31 @@
|
|
||||||
capability setuid,
|
|
||||||
|
|
||||||
/bin/bash ixr,
|
|
||||||
+ /bin/cat ix,
|
|
||||||
+
|
|
||||||
+ /usr/bin/foomatic-rip ixr,
|
|
||||||
+ /etc/foomatic/** r,
|
|
||||||
+
|
|
||||||
+ /usr/bin/gs ix,
|
|
||||||
+ /usr/lib/ghostscript/** m,
|
|
||||||
+ /usr/lib64/ghostscript/** m,
|
|
||||||
+ /usr/share/ghostscript/** r,
|
|
||||||
+ /etc/ghostscript/** r,
|
|
||||||
+
|
|
||||||
/dev/lp0 rw,
|
|
||||||
/dev/tty rw,
|
|
||||||
/dev/ttyS? w,
|
|
||||||
/etc/cups rw,
|
|
||||||
/etc/cups/ r,
|
|
||||||
- /etc/cups/* r,
|
|
||||||
+ /etc/cups/** r,
|
|
||||||
/etc/cups/certs w,
|
|
||||||
/etc/cups/certs/* w,
|
|
||||||
- /etc/cups/classes.conf rw,
|
|
||||||
- /etc/cups/cupsd.conf rw,
|
|
||||||
+ /etc/cups/*.conf* rw,
|
|
||||||
/etc/cups/ppd rw,
|
|
||||||
+ /etc/printcap rw,
|
|
||||||
/etc/cups/printcap rw,
|
|
||||||
- /etc/cups/printers.conf rw,
|
|
||||||
/etc/cups/ssl rw,
|
|
||||||
+ /etc/cups/yes/* rw,
|
|
||||||
/etc/hosts.allow r,
|
|
||||||
/etc/hosts.deny r,
|
|
||||||
/proc/meminfo r,
|
|
||||||
@@ -39,11 +50,15 @@
|
|
||||||
/usr/bin/smbspool ixr,
|
|
||||||
/usr/lib/cups/backend/* ixr,
|
|
||||||
/usr/lib/cups/filter/* ixr,
|
|
||||||
- /usr/sbin/cupsd mr,
|
|
||||||
+ /usr/sbin/cupsd mixr,
|
|
||||||
/usr/share/cups/** r,
|
|
||||||
/var/log/cups/access_log rw,
|
|
||||||
/var/log/cups/error_log rw,
|
|
||||||
/var/spool/cups rw,
|
|
||||||
+ /var/spool/cups/** rw,
|
|
||||||
/var/spool/cups/tmp w,
|
|
||||||
/var/spool/cups/tmp/ r,
|
|
||||||
+ /var/run/cups/** rw,
|
|
||||||
+ /var/cache/cups/ rw,
|
|
||||||
+ /var/cache/cups/** rw,
|
|
||||||
}
|
|
@ -1,121 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: profiles: update dhclient
|
|
||||||
References: bnc#561152
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
|
|
||||||
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
|
|
||||||
2 files changed, 61 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
|
|
||||||
@@ -11,12 +11,12 @@
|
|
||||||
# raw sockets, and thus cannot be confined with NetDomain
|
|
||||||
#
|
|
||||||
# Should these programs have their own domains?
|
|
||||||
-# /bin/ps mixr,
|
|
||||||
-# /sbin/arp rmix,
|
|
||||||
-# /usr/bin/dig rmix,
|
|
||||||
-# /usr/bin/uptime rmix,
|
|
||||||
-# /usr/bin/vmstat rmix,
|
|
||||||
-# /usr/bin/w rmix,
|
|
||||||
+# /bin/ps mrix,
|
|
||||||
+# /sbin/arp mrix,
|
|
||||||
+# /usr/bin/dig mrix,
|
|
||||||
+# /usr/bin/uptime mrix,
|
|
||||||
+# /usr/bin/vmstat mrix,
|
|
||||||
+# /usr/bin/w mrix,
|
|
||||||
|
|
||||||
#include <tunables/global>
|
|
||||||
|
|
||||||
@@ -24,25 +24,30 @@
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/bash>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
- /sbin/dhclient rmix,
|
|
||||||
- /sbin/dhclient-script rmix,
|
|
||||||
- /bin/bash rmix,
|
|
||||||
- /bin/df rmix,
|
|
||||||
+
|
|
||||||
+ network packet packet,
|
|
||||||
+ network packet raw,
|
|
||||||
+
|
|
||||||
+ /sbin/dhclient mrix,
|
|
||||||
+
|
|
||||||
+ /sbin/dhclient-script mrix,
|
|
||||||
+ /bin/bash mrix,
|
|
||||||
+ /bin/df mrix,
|
|
||||||
/bin/netstat Px,
|
|
||||||
- /bin/ps mixr,
|
|
||||||
+ /bin/ps mrix,
|
|
||||||
/dev/random r,
|
|
||||||
/etc/dhclient.conf r,
|
|
||||||
- @{PROC}/ r,
|
|
||||||
- @{PROC}/interrupts r,
|
|
||||||
- @{PROC}/net/dev r,
|
|
||||||
- @{PROC}/rtc r,
|
|
||||||
+ @{PROC}/ r,
|
|
||||||
+ @{PROC}/interrupts r,
|
|
||||||
+ @{PROC}/*/net/dev r,
|
|
||||||
+ @{PROC}/rtc r,
|
|
||||||
# following rule shouldn't work, self is a symlink
|
|
||||||
- @{PROC}/self/status r,
|
|
||||||
- /sbin/arp rmix,
|
|
||||||
- /usr/bin/dig rmix,
|
|
||||||
- /usr/bin/uptime rmix,
|
|
||||||
- /usr/bin/vmstat rmix,
|
|
||||||
- /usr/bin/w rmix,
|
|
||||||
+ @{PROC}/self/status r,
|
|
||||||
+ /sbin/arp mrix,
|
|
||||||
+ /usr/bin/dig mrix,
|
|
||||||
+ /usr/bin/uptime mrix,
|
|
||||||
+ /usr/bin/vmstat mrix,
|
|
||||||
+ /usr/bin/w mrix,
|
|
||||||
/var/lib/dhcp/dhclient.leases rw,
|
|
||||||
/var/lib/dhcp/dhclient-*.leases rw,
|
|
||||||
/var/log/lastlog r,
|
|
||||||
@@ -52,4 +57,18 @@
|
|
||||||
/var/run/dhclient-*.pid rw,
|
|
||||||
/var/spool r,
|
|
||||||
/var/spool/mail r,
|
|
||||||
+
|
|
||||||
+ # This one will need to be fleshed out depending on what the user is doing
|
|
||||||
+ /sbin/dhclient-script mrpx,
|
|
||||||
+
|
|
||||||
+ /bin/grep mrix,
|
|
||||||
+ /bin/sleep mrix,
|
|
||||||
+ /etc/sysconfig/network/dhcp r,
|
|
||||||
+ /etc/sysconfig/network/scripts/functions.common r,
|
|
||||||
+ /etc/sysconfig/network/scripts/functions r,
|
|
||||||
+ /sbin/ip mrix,
|
|
||||||
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
|
|
||||||
+ /var/lib/dhcp/* rw,
|
|
||||||
+ /var/run/nm-dhclient-*.conf r,
|
|
||||||
+
|
|
||||||
}
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
|
|
||||||
@@ -0,0 +1,21 @@
|
|
||||||
+# Last Modified: Tue Jan 25 16:48:30 2011
|
|
||||||
+#include <tunables/global>
|
|
||||||
+
|
|
||||||
+# dhclient-script will call plugins from /etc/netconfig.d, so this
|
|
||||||
+# will need to be extended on a per-site basis.
|
|
||||||
+
|
|
||||||
+/sbin/dhclient-script {
|
|
||||||
+ #include <abstractions/base>
|
|
||||||
+ #include <abstractions/bash>
|
|
||||||
+ #include <abstractions/consoles>
|
|
||||||
+
|
|
||||||
+ /bin/bash rix,
|
|
||||||
+ /bin/grep rix,
|
|
||||||
+ /bin/sleep rix,
|
|
||||||
+ /bin/touch rix,
|
|
||||||
+ /dev/.sysconfig/network/** r,
|
|
||||||
+ /etc/netconfig.d/* mrix,
|
|
||||||
+ /etc/sysconfig/network/** r,
|
|
||||||
+ /sbin/dhclient-script r,
|
|
||||||
+ /sbin/ip rix,
|
|
||||||
+}
|
|
@ -1,38 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: Fix for sshd profile
|
|
||||||
References: bnc#457072
|
|
||||||
|
|
||||||
Without this patch, sshd won't work in enforce mode.
|
|
||||||
|
|
||||||
libselinux accesses /proc/filesystems to determine if it's enabled
|
|
||||||
bash won't execute
|
|
||||||
audit_control is probably from libselinux too
|
|
||||||
---
|
|
||||||
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
|
||||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
|
||||||
@@ -29,6 +29,8 @@
|
|
||||||
capability kill,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
+ capability audit_control,
|
|
||||||
+ capability sys_ptrace,
|
|
||||||
|
|
||||||
/dev/ptmx rw,
|
|
||||||
/dev/urandom r,
|
|
||||||
@@ -43,11 +45,12 @@
|
|
||||||
|
|
||||||
@{PROC}/[0-9]*/fd/ r,
|
|
||||||
@{PROC}/[0-9]*/loginuid w,
|
|
||||||
+ @{PROC}/filesystems r,
|
|
||||||
|
|
||||||
# should only be here for use in non-change-hat openssh
|
|
||||||
# duplicated from EXEC hat
|
|
||||||
/bin/ash Ux,
|
|
||||||
- /bin/bash Ux,
|
|
||||||
+ /bin/bash rUx,
|
|
||||||
/bin/bash2 Ux,
|
|
||||||
/bin/bsh Ux,
|
|
||||||
/bin/csh Ux,
|
|
@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor.d/sbin.syslog-ng
|
|
||||||
+++ b/profiles/apparmor.d/sbin.syslog-ng
|
|
||||||
@@ -19,12 +19,14 @@
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/consoles>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
+ #include <abstractions/mysql>
|
|
||||||
|
|
||||||
capability chown,
|
|
||||||
capability dac_override,
|
|
||||||
capability fsetid,
|
|
||||||
capability fowner,
|
|
||||||
capability sys_tty_config,
|
|
||||||
+ capability sys_resource,
|
|
||||||
|
|
||||||
/dev/log w,
|
|
||||||
/dev/syslog w,
|
|
||||||
@@ -35,11 +37,14 @@
|
|
||||||
/etc/hosts.deny r,
|
|
||||||
/etc/hosts.allow r,
|
|
||||||
/sbin/syslog-ng mr,
|
|
||||||
+ /usr/share/syslog-ng/** r,
|
|
||||||
# chrooted applications
|
|
||||||
@{CHROOT_BASE}/var/lib/*/dev/log w,
|
|
||||||
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
|
|
||||||
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
|
|
||||||
@{CHROOT_BASE}/var/log/** w,
|
|
||||||
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
|
|
||||||
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
|
|
||||||
+ /var/run/syslog-ng/additional-log-sockets.conf r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/sbin.syslog-ng>
|
|
@ -1,33 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: dnsmasq: Profile fixes
|
|
||||||
References: bnc#666090 bnc#678749
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
|
|
||||||
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
|
|
||||||
@@ -25,10 +25,12 @@
|
|
||||||
/etc/dnsmasq.conf r,
|
|
||||||
/etc/dnsmasq.d/ r,
|
|
||||||
/etc/dnsmasq.d/* r,
|
|
||||||
+ /etc/ethers r,
|
|
||||||
|
|
||||||
/usr/sbin/dnsmasq mr,
|
|
||||||
|
|
||||||
/var/run/*dnsmasq*.pid w,
|
|
||||||
+ /var/run/dnsmasq-forwarders r,
|
|
||||||
/var/run/dnsmasq/ r,
|
|
||||||
/var/run/dnsmasq/* rw,
|
|
||||||
|
|
||||||
@@ -37,6 +39,8 @@
|
|
||||||
# libvirt pid files for dnsmasq
|
|
||||||
/var/run/libvirt/network/ r,
|
|
||||||
/var/run/libvirt/network/*.pid rw,
|
|
||||||
+ /var/lib/libvirt/dnsmasq/ r,
|
|
||||||
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/usr.sbin.dnsmasq>
|
|
@ -1,91 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
parser/rc.aaeventd.suse | 2 +-
|
|
||||||
parser/rc.apparmor.functions | 9 ++++-----
|
|
||||||
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
|
|
||||||
3 files changed, 27 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
--- a/parser/rc.aaeventd.suse
|
|
||||||
+++ b/parser/rc.aaeventd.suse
|
|
||||||
@@ -27,7 +27,7 @@
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: aaeventd
|
|
||||||
# Required-Start: apparmor
|
|
||||||
-# Required-Stop:
|
|
||||||
+# Required-Stop: $null
|
|
||||||
# Default-Start: 2 3 5
|
|
||||||
# Default-Stop:
|
|
||||||
# Short-Description: AppArmor Notification and Reporting
|
|
||||||
--- a/parser/rc.apparmor.functions
|
|
||||||
+++ b/parser/rc.apparmor.functions
|
|
||||||
@@ -108,9 +108,7 @@ is_apparmor_present() {
|
|
||||||
# check for subdomainfs version of module
|
|
||||||
grep -qE "^($modules)[[:space:]]" /proc/modules
|
|
||||||
|
|
||||||
- if [ $? -ne 0 ] ; then
|
|
||||||
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
|
|
||||||
- fi
|
|
||||||
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
|
|
||||||
|
|
||||||
return $?
|
|
||||||
}
|
|
||||||
@@ -377,10 +375,11 @@ apparmor_start() {
|
|
||||||
configure_owlsm
|
|
||||||
|
|
||||||
# if there is anything in the profiles file don't load
|
|
||||||
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
|
|
||||||
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
|
|
||||||
parse_profiles load
|
|
||||||
else
|
|
||||||
- aa_log_skipped_msg "AppArmor already loaded with profiles."
|
|
||||||
+ aa_log_skipped_msg ": already loaded with profiles."
|
|
||||||
+ return 0
|
|
||||||
fi
|
|
||||||
aa_log_end_msg 0
|
|
||||||
return 0
|
|
||||||
--- a/parser/rc.apparmor.suse
|
|
||||||
+++ b/parser/rc.apparmor.suse
|
|
||||||
@@ -31,6 +31,7 @@
|
|
||||||
# Required-Start: boot.cleanup
|
|
||||||
# Required-Stop: $null
|
|
||||||
# Should-Start: $local_fs
|
|
||||||
+# Should-Stop: $null
|
|
||||||
# Default-Start: B
|
|
||||||
# Default-Stop:
|
|
||||||
# Short-Description: AppArmor initialization
|
|
||||||
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
|
|
||||||
}
|
|
||||||
|
|
||||||
aa_log_failure_msg() {
|
|
||||||
- log_failure_msg $*
|
|
||||||
+ log_failure_msg '\n'$*
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+aa_log_action_begin() {
|
|
||||||
+ echo -n
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+aa_log_action_end() {
|
|
||||||
+ echo -n
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+aa_log_daemon_msg() {
|
|
||||||
+ echo -en "$@ "
|
|
||||||
}
|
|
||||||
|
|
||||||
aa_log_skipped_msg() {
|
|
||||||
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
|
|
||||||
echo -e "$rc_skipped"
|
|
||||||
}
|
|
||||||
|
|
||||||
+aa_log_end_msg() {
|
|
||||||
+ v="-v"
|
|
||||||
+ if [ "$1" != '0' ]; then
|
|
||||||
+ rc="-v$1"
|
|
||||||
+ fi
|
|
||||||
+ rc_status $v
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
usage() {
|
|
||||||
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
|
|
||||||
}
|
|
@ -1,22 +0,0 @@
|
|||||||
From: Federic Crozat <fcrozat@suse.com>
|
|
||||||
Subkect: apparmor: Let systemd automount securityfs
|
|
||||||
References: bnc#704460
|
|
||||||
|
|
||||||
Do not mount securityfs when running under systemd, just access
|
|
||||||
the directory, systemd will automount it
|
|
||||||
|
|
||||||
---
|
|
||||||
parser/rc.apparmor.functions | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/parser/rc.apparmor.functions
|
|
||||||
+++ b/parser/rc.apparmor.functions
|
|
||||||
@@ -295,7 +295,7 @@ is_apparmor_loaded() {
|
|
||||||
}
|
|
||||||
|
|
||||||
is_securityfs_mounted() {
|
|
||||||
- grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
|
||||||
+ test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
|
||||||
return $?
|
|
||||||
}
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
parser/rc.aaeventd.suse | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/parser/rc.aaeventd.suse
|
|
||||||
+++ b/parser/rc.aaeventd.suse
|
|
||||||
@@ -78,9 +78,9 @@ usage() {
|
|
||||||
|
|
||||||
start_aa_event() {
|
|
||||||
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
|
||||||
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
|
|
||||||
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
|
|
||||||
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
|
||||||
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
|
|
||||||
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: apparmor-utils: Add support for creds and path operations
|
|
||||||
References: bnc#564316
|
|
||||||
|
|
||||||
2.6.29 introduced the path security_operations and credentials
|
|
||||||
|
|
||||||
This patch adds support for those operations to the log parser.
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
utils/Immunix/AppArmor.pm | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/utils/Immunix/AppArmor.pm
|
|
||||||
+++ b/utils/Immunix/AppArmor.pm
|
|
||||||
@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) {
|
|
||||||
""
|
|
||||||
);
|
|
||||||
}
|
|
||||||
- } elsif ($e->{operation} =~ m/file_/) {
|
|
||||||
+ } elsif ($e->{operation} =~ m/file_/ or
|
|
||||||
+ # These are the path operations introduced in 2.6.29
|
|
||||||
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
|
|
||||||
add_to_tree( $e->{pid},
|
|
||||||
$e->{parent},
|
|
||||||
"path",
|
|
@ -1,36 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: apparmor-utils: Fix handling of files in /
|
|
||||||
References: bnc#397883
|
|
||||||
|
|
||||||
The separate handling of files and directories with realpath is broken.
|
|
||||||
|
|
||||||
For files e.g. /foo, $dir ends up being empty since the / is eaten by
|
|
||||||
the regex. realpath resolves an empty argument as the current directory,
|
|
||||||
resulting in an incorrect path.
|
|
||||||
|
|
||||||
There's no explanation of why the separate handling was used in the
|
|
||||||
first place.
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
utils/Immunix/AppArmor.pm | 9 +--------
|
|
||||||
1 file changed, 1 insertion(+), 8 deletions(-)
|
|
||||||
|
|
||||||
--- a/utils/Immunix/AppArmor.pm
|
|
||||||
+++ b/utils/Immunix/AppArmor.pm
|
|
||||||
@@ -553,14 +553,7 @@ sub get_full_path ($) {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (-f $path) {
|
|
||||||
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
|
|
||||||
- $path = realpath($dir) . "/$file";
|
|
||||||
- } else {
|
|
||||||
- $path = realpath($path);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return $path;
|
|
||||||
+ return realpath($path);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub findexecutable ($) {
|
|
@ -5,6 +5,13 @@ Subject: apparmor-utils: Add Immunix::SubDomain alias
|
|||||||
code.
|
code.
|
||||||
|
|
||||||
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
||||||
|
|
||||||
|
Also patch utils/Makefile to actually install SubDomain.pm
|
||||||
|
|
||||||
|
The SubDomain compat module is only needed by openSUSE, therefore this patch
|
||||||
|
will not be upstreamed.
|
||||||
|
|
||||||
|
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
|
||||||
---
|
---
|
||||||
|
|
||||||
utils/Immunix/SubDomain.pm | 5 +++++
|
utils/Immunix/SubDomain.pm | 5 +++++
|
||||||
@ -18,3 +25,14 @@ Acked-by: Jeff Mahoney <jeffm@suse.com>
|
|||||||
+use Immunix::AppArmor;
|
+use Immunix::AppArmor;
|
||||||
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
|
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
|
||||||
+1;
|
+1;
|
||||||
|
--- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200
|
||||||
|
+++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200
|
||||||
|
@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut
|
||||||
|
aa-unconfined aa-notify aa-disable
|
||||||
|
TOOLS = ${PERLTOOLS} aa-decode aa-status
|
||||||
|
MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
|
||||||
|
- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm
|
||||||
|
+ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm
|
||||||
|
|
||||||
|
MANPAGES = ${TOOLS:=.8} logprof.conf.5
|
||||||
|
|
||||||
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 13 18:47:36 UTC 2011 - opensuse@cboltz.de
|
||||||
|
|
||||||
|
- update to AppArmor 2.7.0 beta1, for details see
|
||||||
|
http://wiki.apparmor.net/index.php/ReleaseNotes_2_7
|
||||||
|
- removed lots of patches I pushed upstream
|
||||||
|
- disabled apparmor-2.5.1-unified-build (patch to use automake,
|
||||||
|
does not apply to 2.7 and probably won't be accepted upstream)
|
||||||
|
- disabled build of tomcat_apparmor (doesn't build, deprecated upstream)
|
||||||
|
- run spec-cleaner
|
||||||
|
- remove *.la files
|
||||||
|
- move usr.sbin.nscd profile back to apparmor-profiles package
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 7 10:35:12 MDT 2011 - jfehlig@suse.com
|
||||||
|
|
||||||
|
- Update patch apparmor-profiles-usr.sbin.dnsmasq to include
|
||||||
|
/var/lib/libvirt/dnsmasq/*.leases (bnc#694197).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de
|
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de
|
||||||
|
|
||||||
|
375
apparmor.spec
375
apparmor.spec
@ -15,9 +15,8 @@
|
|||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
# norootforbuild
|
|
||||||
|
|
||||||
%bcond_without tomcat
|
%bcond_with tomcat
|
||||||
%bcond_without pam
|
%bcond_without pam
|
||||||
%bcond_without apache
|
%bcond_without apache
|
||||||
%bcond_with python
|
%bcond_with python
|
||||||
@ -44,60 +43,68 @@ Name: apparmor
|
|||||||
%if ! %{?distro:1}0
|
%if ! %{?distro:1}0
|
||||||
%define distro suse
|
%define distro suse
|
||||||
%endif
|
%endif
|
||||||
Summary: AppArmor userlevel parser utility
|
Version: 2.7.beta1
|
||||||
Version: 2.6.1
|
|
||||||
Release: 1
|
Release: 1
|
||||||
|
Summary: AppArmor userlevel parser utility
|
||||||
|
%define versiondir 2.7.0~beta1
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Source0: apparmor-%{version}.tar.bz2
|
Source0: apparmor-%{version}.tar.gz
|
||||||
Source1: %{name}-profile-editor.png
|
Source1: %{name}-profile-editor.png
|
||||||
Source2: %{name}-profile-editor.desktop
|
Source2: %{name}-profile-editor.desktop
|
||||||
Source3: update-trans.sh
|
Source3: update-trans.sh
|
||||||
|
|
||||||
Patch1: apparmor-scripts
|
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||||
Patch3: apparmor-utils-add-log-types
|
|
||||||
Patch4: apparmor-utils-filenames-in-slash
|
|
||||||
Patch5: apparmor-utils-string-split
|
Patch5: apparmor-utils-string-split
|
||||||
Patch6: apparmor-profiles-cupsd-fix
|
|
||||||
Patch7: apparmor-profiles-sshd-fix
|
# use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream.
|
||||||
Patch8: apparmor-profiles-syslog-ng-fix
|
|
||||||
Patch9: apparmor-startproc.patch
|
|
||||||
Patch10: apparmor-2.5.1-unified-build
|
Patch10: apparmor-2.5.1-unified-build
|
||||||
|
# requires Patch10
|
||||||
Patch11: apparmor-2.5.1-rpmlint-asprintf
|
Patch11: apparmor-2.5.1-rpmlint-asprintf
|
||||||
|
|
||||||
|
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||||
Patch12: apparmor-2.5.1-edirectory-profile
|
Patch12: apparmor-2.5.1-edirectory-profile
|
||||||
|
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||||
Patch13: apparmor-2.5.1-ldapclient-profile
|
Patch13: apparmor-2.5.1-ldapclient-profile
|
||||||
Patch14: genprof-whitespace-in-profile-fix
|
|
||||||
|
# obsolete, upstream implemented this in another way
|
||||||
Patch15: apparmor-remove-repo
|
Patch15: apparmor-remove-repo
|
||||||
Patch16: apparmor-2.5.1-ntpd-sys_nice
|
|
||||||
Patch17: apparmor-2.5.1-ssl-fix
|
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||||
Patch18: apparmor-profiles-usr.sbin.dnsmasq
|
|
||||||
Patch19: klog-needs-CAP_SYSLOG
|
|
||||||
Patch20: apparmor-profiles-dhclient
|
|
||||||
Patch21: apparmor-utils-subdomain-compat
|
Patch21: apparmor-utils-subdomain-compat
|
||||||
Patch22: apparmor-securityfs-systemd.patch
|
|
||||||
Patch23: apparmor-2.6.0-dhcpd
|
|
||||||
Patch24: apparmor-compat-routines
|
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
||||||
Url: https://launchpad.net/apparmor
|
Url: https://launchpad.net/apparmor
|
||||||
PreReq: sed
|
PreReq: sed
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%if %{distro} == "suse"
|
%if %{distro} == "suse"
|
||||||
PreReq: %{insserv_prereq} aaa_base
|
PreReq: %{insserv_prereq}
|
||||||
|
PreReq: aaa_base
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: gcc-c++
|
|
||||||
BuildRequires: pkg-config
|
|
||||||
BuildRequires: pcre-devel
|
|
||||||
%define apparmor_bin_prefix /lib/apparmor
|
%define apparmor_bin_prefix /lib/apparmor
|
||||||
BuildRequires: bison flex latex2html w3m
|
BuildRequires: bison
|
||||||
|
BuildRequires: flex
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: latex2html
|
||||||
|
BuildRequires: pcre-devel
|
||||||
|
BuildRequires: pkg-config
|
||||||
BuildRequires: texlive-latex
|
BuildRequires: texlive-latex
|
||||||
|
BuildRequires: w3m
|
||||||
|
|
||||||
|
# TODO: put also to Requires?
|
||||||
|
BuildRequires: perl(Locale::gettext)
|
||||||
|
BuildRequires: perl(RPC::XML)
|
||||||
|
BuildRequires: perl(Term::ReadKey)
|
||||||
|
|
||||||
BuildRequires: swig
|
BuildRequires: swig
|
||||||
|
|
||||||
%if %{with python}
|
%if %{with python}
|
||||||
BuildRequires: python-devel swig
|
BuildRequires: python-devel
|
||||||
|
BuildRequires: swig
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with ruby}
|
%if %{with ruby}
|
||||||
BuildRequires: ruby-devel swig
|
BuildRequires: ruby-devel
|
||||||
|
BuildRequires: swig
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
@ -105,11 +112,15 @@ BuildRequires: apache2-devel
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
BuildRequires: ant java-devel >= 1.6.0 tomcat6
|
BuildRequires: ant
|
||||||
|
BuildRequires: java-devel >= 1.6.0
|
||||||
|
BuildRequires: tomcat6
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with editor}
|
%if %{with editor}
|
||||||
BuildRequires: gcc-c++ update-desktop-files wxGTK-devel
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: update-desktop-files
|
||||||
|
BuildRequires: wxGTK-devel
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with gnome}
|
%if %{with gnome}
|
||||||
@ -121,7 +132,10 @@ BuildRequires: pkgconfig(libpanelapplet-2.0)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with dbus}
|
%if %{with dbus}
|
||||||
BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config
|
BuildRequires: audit-devel
|
||||||
|
BuildRequires: libapparmor-devel
|
||||||
|
BuildRequires: pkg-config
|
||||||
|
BuildRequires: pkgconfig(dbus-1)
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package parser
|
%package parser
|
||||||
@ -161,13 +175,6 @@ This package contains documentation for AppArmor.
|
|||||||
This package is part of a suite of tools that used to be named
|
This package is part of a suite of tools that used to be named
|
||||||
SubDomain.
|
SubDomain.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
lcambell@novell.com
|
|
||||||
Seth Arnold <seth.arnold@novell.com>
|
|
||||||
|
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
|
|
||||||
%package -n apache2-mod_apparmor
|
%package -n apache2-mod_apparmor
|
||||||
@ -185,15 +192,12 @@ SubDomain.
|
|||||||
|
|
||||||
The documentation is in the apparmor-admin_en package.
|
The documentation is in the apparmor-admin_en package.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
sbeattie@suse.de
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package -n libapparmor1
|
%package -n libapparmor1
|
||||||
|
License: LGPLv2.1+
|
||||||
Summary: Utility library for AppArmor
|
Summary: Utility library for AppArmor
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
License: LGPLv2.1+
|
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
Obsoletes: libapparmor-64bit < %{version}
|
Obsoletes: libapparmor-64bit < %{version}
|
||||||
Provides: libapparmor-64bit = ${version}
|
Provides: libapparmor-64bit = ${version}
|
||||||
@ -208,34 +212,26 @@ This package provides the libapparmor library, which contains the
|
|||||||
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
|
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
|
||||||
well as functions to parse AppArmor log messages.
|
well as functions to parse AppArmor log messages.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Steve Beattie <sbeattie@suse.de>
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%package -n libapparmor-devel
|
%package -n libapparmor-devel
|
||||||
License: LGPLv2.1+
|
License: LGPLv2.1+
|
||||||
Requires: libapparmor1 = %{version}-%{release}
|
|
||||||
Group: Development/Libraries/C and C++
|
|
||||||
Provides: libapparmor:/usr/include/sys/apparmor.h
|
|
||||||
Summary: Development headers and libraries for libapparmor
|
Summary: Development headers and libraries for libapparmor
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libapparmor1 = %{version}
|
||||||
|
Provides: libapparmor:/usr/include/sys/apparmor.h
|
||||||
|
|
||||||
%description -n libapparmor-devel
|
%description -n libapparmor-devel
|
||||||
These libraries are needed for developing software that makes use of the
|
These libraries are needed for developing software that makes use of the
|
||||||
AppArmor API.
|
AppArmor API.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Steve Beattie <sbeattie@suse.de>
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%package -n perl-apparmor
|
%package -n perl-apparmor
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
|
Summary: Perl interface for libapparmor functions
|
||||||
|
Group: Development/Libraries/Perl
|
||||||
Requires: libapparmor1 = %{version}
|
Requires: libapparmor1 = %{version}
|
||||||
Requires: perl = %{perl_version}
|
Requires: perl = %{perl_version}
|
||||||
Requires: perl(Term::ReadKey) perl(DBD::SQLite) perl(RPC::XML)
|
Requires: perl(DBD::SQLite)
|
||||||
Group: Development/Libraries/Perl
|
Requires: perl(RPC::XML)
|
||||||
Summary: Perl interface for libapparmor functions
|
Requires: perl(Term::ReadKey)
|
||||||
Provides: perl-libapparmor
|
Provides: perl-libapparmor
|
||||||
Obsoletes: perl-libapparmor < 2.5
|
Obsoletes: perl-libapparmor < 2.5
|
||||||
|
|
||||||
@ -243,20 +239,15 @@ Obsoletes: perl-libapparmor < 2.5
|
|||||||
This package provides the perl interface to AppArmor. It is used for perl
|
This package provides the perl interface to AppArmor. It is used for perl
|
||||||
applications interfacing with AppArmor, including the AppArmor utilities.
|
applications interfacing with AppArmor, including the AppArmor utilities.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Steve Beattie <sbeattie@suse.de>
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%if %{with python}
|
%if %{with python}
|
||||||
|
|
||||||
%package -n python-apparmor
|
%package -n python-apparmor
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
Requires: libapparmor1 = %{version}
|
|
||||||
BuildRequires: python
|
|
||||||
Requires: python = %{python_version}
|
|
||||||
Group: Development/Libraries/Python
|
|
||||||
Summary: Python interface for libapparmor functions
|
Summary: Python interface for libapparmor functions
|
||||||
|
Group: Development/Libraries/Python
|
||||||
|
BuildRequires: python
|
||||||
|
Requires: libapparmor1 = %{version}
|
||||||
|
Requires: python = %{python_version}
|
||||||
Provides: python-libapparmor
|
Provides: python-libapparmor
|
||||||
Obsoletes: python-libapparmor < 2.5
|
Obsoletes: python-libapparmor < 2.5
|
||||||
|
|
||||||
@ -264,20 +255,16 @@ Obsoletes: python-libapparmor < 2.5
|
|||||||
This package provides the python interface to AppArmor. It is used for python
|
This package provides the python interface to AppArmor. It is used for python
|
||||||
applications interfacing with AppArmor.
|
applications interfacing with AppArmor.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Steve Beattie <sbeattie@suse.de>
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with ruby}
|
%if %{with ruby}
|
||||||
|
|
||||||
%package -n ruby-apparmor
|
%package -n ruby-apparmor
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
|
Summary: Ruby interface for libapparmor functions
|
||||||
|
Group: Development/Libraries/Ruby
|
||||||
Requires: libapparmor1 = %{version}
|
Requires: libapparmor1 = %{version}
|
||||||
Requires: ruby = %{ruby_version}
|
Requires: ruby = %{ruby_version}
|
||||||
Group: Development/Libraries/Ruby
|
|
||||||
Summary: Ruby interface for libapparmor functions
|
|
||||||
Provides: ruby-libapparmor
|
Provides: ruby-libapparmor
|
||||||
Obsoletes: ruby-libapparmor < 2.5
|
Obsoletes: ruby-libapparmor < 2.5
|
||||||
|
|
||||||
@ -285,19 +272,15 @@ Obsoletes: ruby-libapparmor < 2.5
|
|||||||
This package provides the ruby interface to AppArmor. It is used for ruby
|
This package provides the ruby interface to AppArmor. It is used for ruby
|
||||||
applications interfacing with AppArmor.
|
applications interfacing with AppArmor.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Steve Beattie <sbeattie@suse.de>
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package profiles
|
%package profiles
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
Summary: AppArmor profiles that are loaded into the apparmor kernel module
|
Summary: AppArmor profiles that are loaded into the apparmor kernel module
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
|
Requires: apparmor-parser(CAP_SYSLOG)
|
||||||
Obsoletes: subdomain-profiles < %{version}
|
Obsoletes: subdomain-profiles < %{version}
|
||||||
Provides: subdomain-profiles = %{version}
|
Provides: subdomain-profiles = %{version}
|
||||||
Requires: apparmor-parser(CAP_SYSLOG)
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%description profiles
|
%description profiles
|
||||||
@ -309,18 +292,12 @@ vulnerabilities.
|
|||||||
This package is part of a suite of tools that used to be named
|
This package is part of a suite of tools that used to be named
|
||||||
SubDomain.
|
SubDomain.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
seth.arnold@suse.de
|
|
||||||
sbeattie@suse.de
|
|
||||||
jjohansen@suse.de
|
|
||||||
|
|
||||||
%package utils
|
%package utils
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
|
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Requires: perl = %{perl_version}
|
|
||||||
Requires: libapparmor1 = %{version}
|
Requires: libapparmor1 = %{version}
|
||||||
|
Requires: perl = %{perl_version}
|
||||||
Requires: perl-apparmor = %{version}
|
Requires: perl-apparmor = %{version}
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -331,18 +308,14 @@ Besides it provides the aa-unconfined server information tool and the
|
|||||||
aa-eventd event reporting system. It is part of a suite of tools that
|
aa-eventd event reporting system. It is part of a suite of tools that
|
||||||
used to be named SubDomain.
|
used to be named SubDomain.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
jmichael@suse.de
|
|
||||||
seth.arnold@suse.de
|
|
||||||
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
|
|
||||||
%package -n tomcat_apparmor
|
%package -n tomcat_apparmor
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
Summary: Tomcat 6 plugin for AppArmor change_hat
|
Summary: Tomcat 6 plugin for AppArmor change_hat
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Requires: libapparmor1 = %{version} tomcat6
|
Requires: libapparmor1 = %{version}
|
||||||
|
Requires: tomcat6
|
||||||
|
|
||||||
%description -n tomcat_apparmor
|
%description -n tomcat_apparmor
|
||||||
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
|
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
|
||||||
@ -351,9 +324,6 @@ containers that are bound to discrete elements of processing within the
|
|||||||
Tomcat servlet container. The AppArmor containers, or "hats", can be
|
Tomcat servlet container. The AppArmor containers, or "hats", can be
|
||||||
created for individual URL processing or per servlet.
|
created for individual URL processing or per servlet.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
dreynolds@suse.de
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with pam}
|
%if %{with pam}
|
||||||
@ -363,8 +333,10 @@ License: GPLv2 ; LGPLv2.1+
|
|||||||
Summary: PAM module for AppArmor change_hat
|
Summary: PAM module for AppArmor change_hat
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
Requires: pam pam-config
|
PreReq: pam
|
||||||
PreReq: pam pam-config
|
PreReq: pam-config
|
||||||
|
Requires: pam
|
||||||
|
Requires: pam-config
|
||||||
|
|
||||||
%description -n pam_apparmor
|
%description -n pam_apparmor
|
||||||
The pam_apparmor module provides the means for any PAM applications
|
The pam_apparmor module provides the means for any PAM applications
|
||||||
@ -372,11 +344,6 @@ that call pam_open_session() to automatically perform an AppArmor
|
|||||||
change_hat operation in order to switch to a user-specific security
|
change_hat operation in order to switch to a user-specific security
|
||||||
policy.
|
policy.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
jmichael@suse.de
|
|
||||||
sbeattie@suse.de
|
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with dbus}
|
%if %{with dbus}
|
||||||
@ -390,10 +357,6 @@ Group: System/Monitoring
|
|||||||
An audit dispatcher for sending AppArmor events over the DBUS system
|
An audit dispatcher for sending AppArmor events over the DBUS system
|
||||||
bus.
|
bus.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with editor}
|
%if %{with editor}
|
||||||
@ -406,10 +369,6 @@ Group: Productivity/Editors/Other
|
|||||||
%description profile-editor
|
%description profile-editor
|
||||||
A syntax highlighting editor for AppArmor profiles.
|
A syntax highlighting editor for AppArmor profiles.
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with gnome}
|
%if %{with gnome}
|
||||||
@ -423,11 +382,6 @@ Group: System/GUI/GNOME
|
|||||||
This taskbar applet receives AppArmor events over DBUS, and notifies
|
This taskbar applet receives AppArmor events over DBUS, and notifies
|
||||||
the user when AppArmor prevents an application from functioning.
|
the user when AppArmor prevents an application from functioning.
|
||||||
|
|
||||||
|
|
||||||
Authors:
|
|
||||||
--------
|
|
||||||
Matt Barringer <mbarringer@suse.de>
|
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -444,37 +398,25 @@ SubDomain.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{versiondir}
|
||||||
%patch1 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
#%patch10 -p1 # disabled, see above
|
||||||
%patch7 -p1
|
#%patch11 -p1 # disabled, see above
|
||||||
%patch8 -p1
|
|
||||||
%patch9 -p1
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
%patch14 -p1
|
#%patch15 -p1 # obsolete, see above
|
||||||
%patch15 -p1
|
|
||||||
%patch16 -p1
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
|
||||||
%patch19 -p1
|
|
||||||
%patch20 -p1
|
|
||||||
%patch21 -p1
|
%patch21 -p1
|
||||||
%patch22 -p1
|
|
||||||
%patch23 -p1
|
|
||||||
%patch24 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export SUSE_ASNEEDED=0
|
export SUSE_ASNEEDED=0
|
||||||
autoreconf -fiv
|
# re-define _libdir to /lib or /lib64
|
||||||
%define _libdir /%{_lib}
|
%define _libdir /%{_lib}
|
||||||
%configure --disable-static --with-pic \
|
|
||||||
--with-perl \
|
# libapparmor:
|
||||||
|
(
|
||||||
|
cd ./libraries/libapparmor
|
||||||
|
sh ./autogen.sh
|
||||||
|
%configure --with-perl \
|
||||||
%if %{with python}
|
%if %{with python}
|
||||||
--with-python \
|
--with-python \
|
||||||
%else
|
%else
|
||||||
@ -485,38 +427,49 @@ autoreconf -fiv
|
|||||||
%else
|
%else
|
||||||
--without-ruby \
|
--without-ruby \
|
||||||
%endif
|
%endif
|
||||||
%if %{with tomcat}
|
|
||||||
--with-tomcat \
|
make
|
||||||
%else
|
#make check
|
||||||
--without-tomcat \
|
)
|
||||||
%endif
|
|
||||||
%if %{with pam}
|
# Utilities:
|
||||||
--with-pam \
|
make -C utils
|
||||||
%else
|
# make -C utils check
|
||||||
--without-pam \
|
|
||||||
%endif
|
# parser:
|
||||||
|
make -C parser
|
||||||
|
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
|
||||||
|
make -C parser techdoc.txt
|
||||||
|
# make -C parser check
|
||||||
|
|
||||||
|
# Apache mod_apparmor:
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
--with-apache \
|
make -C changehat/mod_apparmor
|
||||||
%else
|
|
||||||
--without-apache \
|
|
||||||
%endif
|
|
||||||
%if %{with gnome}
|
|
||||||
--with-gnome \
|
|
||||||
%else
|
|
||||||
--without-gnome \
|
|
||||||
%endif
|
|
||||||
%if %{with dbus}
|
|
||||||
--with-dbus \
|
|
||||||
%else
|
|
||||||
--without-dbus \
|
|
||||||
%endif
|
|
||||||
%if %{with editor}
|
|
||||||
--with-profileeditor \
|
|
||||||
%else
|
|
||||||
--without-profileeditor \
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%{__make} %{?jobs:-j%jobs}
|
# PAM AppArmor:
|
||||||
|
%if %{with pam}
|
||||||
|
make -C changehat/pam_apparmor
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Profiles:
|
||||||
|
make -C profiles
|
||||||
|
# make -C profiles check
|
||||||
|
|
||||||
|
##configure --disable-static --with-pic \
|
||||||
|
#--with-perl \
|
||||||
|
%if %{with tomcat}
|
||||||
|
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||||
|
%endif
|
||||||
|
%if %{with gnome}
|
||||||
|
#--with-gnome \
|
||||||
|
%endif
|
||||||
|
%if %{with dbus}
|
||||||
|
#--with-dbus \
|
||||||
|
%endif
|
||||||
|
%if %{with editor}
|
||||||
|
#--with-profileeditor \
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{with ruby}
|
%if %{with ruby}
|
||||||
#rm libraries/libapparmor/swig/ruby/Makefile.ruby
|
#rm libraries/libapparmor/swig/ruby/Makefile.ruby
|
||||||
@ -524,23 +477,37 @@ autoreconf -fiv
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%{make_install}
|
# libapparmor
|
||||||
|
%makeinstall -C libraries/libapparmor
|
||||||
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
|
|
||||||
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
|
|
||||||
|
|
||||||
# create symlink for old change_hat(2) manpage
|
# create symlink for old change_hat(2) manpage
|
||||||
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
|
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
|
||||||
|
|
||||||
mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d
|
# utilities
|
||||||
install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor
|
%makeinstall -C utils VENDOR_PERL=%{perl_vendorlib}
|
||||||
install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd
|
mkdir -p %{buildroot}/var/log/apparmor
|
||||||
ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
|
|
||||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
|
%makeinstall -C parser
|
||||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
|
|
||||||
|
%if %{with apache}
|
||||||
|
%makeinstall -C changehat/mod_apparmor
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with pam}
|
||||||
|
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%makeinstall -C profiles
|
||||||
|
|
||||||
|
%if %{with tomcat}
|
||||||
|
mkdir -p %{buildroot}/%{CATALINA_HOME}
|
||||||
|
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
find %{buildroot} -name .packlist -exec rm -f {} \;
|
||||||
|
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
|
||||||
|
|
||||||
# Re-create the links to the old names
|
# Re-create the links to the old names
|
||||||
for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
|
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
|
||||||
d=$(dirname $file)
|
d=$(dirname $file)
|
||||||
f=$(basename $file)
|
f=$(basename $file)
|
||||||
if [ "${f#aa-}" != "$f" ]; then
|
if [ "${f#aa-}" != "$f" ]; then
|
||||||
@ -548,9 +515,9 @@ for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8}
|
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
|
||||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8}
|
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
|
||||||
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8
|
rm -f %{buildroot}%{_mandir}/man8/decode.8
|
||||||
|
|
||||||
%if %{with editor}
|
%if %{with editor}
|
||||||
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
|
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
|
||||||
@ -564,11 +531,17 @@ for pkg in apparmor-utils apparmor-parser; do
|
|||||||
%find_lang $pkg
|
%find_lang $pkg
|
||||||
done
|
done
|
||||||
|
|
||||||
# Clean up profiles that are provided by other packages now
|
# remove *.la files
|
||||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd
|
rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la
|
||||||
|
|
||||||
%clean
|
echo -------------------------------------------------------------------
|
||||||
rm -rf $RPM_BUILD_ROOT
|
find -ls
|
||||||
|
echo -------------------------------------------------------------------
|
||||||
|
head -n1000 *.lang
|
||||||
|
echo -------------------------------------------------------------------
|
||||||
|
echo -------------------------------------------------------------------
|
||||||
|
find %{buildroot} -ls
|
||||||
|
echo -------------------------------------------------------------------
|
||||||
|
|
||||||
%files docs
|
%files docs
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -612,10 +585,11 @@ fi
|
|||||||
|
|
||||||
%files -n libapparmor1
|
%files -n libapparmor1
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{_libdir}/libapparmor.la
|
|
||||||
%{_libdir}/libimmunix.la
|
|
||||||
%{_libdir}/libapparmor.so*
|
%{_libdir}/libapparmor.so*
|
||||||
%{_libdir}/libimmunix.so*
|
%{_libdir}/libimmunix.so*
|
||||||
|
# not sure about the correct package for *.a files...
|
||||||
|
%{_libdir}/libapparmor.a
|
||||||
|
%{_libdir}/libimmunix.a
|
||||||
|
|
||||||
%files -n libapparmor-devel
|
%files -n libapparmor-devel
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -623,22 +597,22 @@ fi
|
|||||||
%{_libdir}/libimmunix.so
|
%{_libdir}/libimmunix.so
|
||||||
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
||||||
%doc %{_mandir}/man2/change_hat.2.gz
|
%doc %{_mandir}/man2/change_hat.2.gz
|
||||||
|
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
|
||||||
|
%doc %{_mandir}/man2/aa_getcon.2.gz
|
||||||
%dir %{_includedir}/aalogparse
|
%dir %{_includedir}/aalogparse
|
||||||
%{_includedir}/sys/apparmor.h
|
%{_includedir}/sys/apparmor.h
|
||||||
%{_includedir}/aalogparse/*
|
%{_includedir}/aalogparse/*
|
||||||
|
|
||||||
# hrm, still need to enumerate each directory in these paths in files :(
|
# hrm, still need to enumerate each directory in these paths in files :(
|
||||||
%define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
|
# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
|
||||||
%define profiles_dir %{_sysconfdir}/apparmor.d/
|
# %define profiles_dir %{_sysconfdir}/apparmor.d/
|
||||||
|
|
||||||
%files profiles
|
%files profiles
|
||||||
%defattr(-,root,root)
|
%defattr(644,root,root,755)
|
||||||
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/
|
||||||
%attr(644, root, root) %{extras_dir}/*
|
|
||||||
%dir %{_sysconfdir}/apparmor.d/
|
|
||||||
%dir %{_sysconfdir}/apparmor/
|
%dir %{_sysconfdir}/apparmor/
|
||||||
%dir %{_sysconfdir}/apparmor/profiles
|
%dir %{_sysconfdir}/apparmor/profiles
|
||||||
%dir %{_sysconfdir}/apparmor/profiles/extras
|
%config %{_sysconfdir}/apparmor/profiles/extras/
|
||||||
|
|
||||||
%files utils
|
%files utils
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -657,6 +631,7 @@ fi
|
|||||||
%doc %{_mandir}/man8/audit.8.gz
|
%doc %{_mandir}/man8/audit.8.gz
|
||||||
%doc %{_mandir}/man8/autodep.8.gz
|
%doc %{_mandir}/man8/autodep.8.gz
|
||||||
%doc %{_mandir}/man8/complain.8.gz
|
%doc %{_mandir}/man8/complain.8.gz
|
||||||
|
%doc %{_mandir}/man8/disable.8.gz
|
||||||
%doc %{_mandir}/man8/enforce.8.gz
|
%doc %{_mandir}/man8/enforce.8.gz
|
||||||
%doc %{_mandir}/man8/genprof.8.gz
|
%doc %{_mandir}/man8/genprof.8.gz
|
||||||
%doc %{_mandir}/man8/logprof.8.gz
|
%doc %{_mandir}/man8/logprof.8.gz
|
||||||
@ -669,8 +644,7 @@ fi
|
|||||||
%files -n perl-apparmor
|
%files -n perl-apparmor
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{perl_vendorlib}/Immunix
|
%{perl_vendorlib}/Immunix
|
||||||
%dir %{perl_vendorarch}/auto/LibAppArmor
|
%{perl_vendorarch}/auto/LibAppArmor/
|
||||||
%{perl_vendorarch}/auto/LibAppArmor/*
|
|
||||||
%{perl_vendorarch}/LibAppArmor.pm
|
%{perl_vendorarch}/LibAppArmor.pm
|
||||||
|
|
||||||
%if %{with python}
|
%if %{with python}
|
||||||
@ -693,7 +667,6 @@ fi
|
|||||||
%files -n pam_apparmor
|
%files -n pam_apparmor
|
||||||
%defattr(444,root,root,755)
|
%defattr(444,root,root,755)
|
||||||
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
|
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
|
||||||
%attr(555,root,root) %{_libdir}/security/pam_apparmor.la
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
@ -729,9 +702,9 @@ fi
|
|||||||
%{_bindir}/profileeditor
|
%{_bindir}/profileeditor
|
||||||
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
|
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
|
||||||
%if 0
|
%if 0
|
||||||
%{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb
|
%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb
|
||||||
%endif
|
%endif
|
||||||
%dir %{_prefix}/share/doc/profileeditor
|
%dir %{_datadir}/doc/profileeditor
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with gnome}
|
%if %{with gnome}
|
||||||
|
@ -1,39 +0,0 @@
|
|||||||
From: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
Subject: apparmor-utils: setprofileflags() drops leading whitespace
|
|
||||||
References: bnc#480795
|
|
||||||
|
|
||||||
setprofileflags() drops leading whitespace for subprofiles. writeheader()
|
|
||||||
properly indents subprofiles 2 spaces per nesting level but when
|
|
||||||
genprof sets the profile to enforce mode at completion, the whitespace
|
|
||||||
is removed.
|
|
||||||
|
|
||||||
This patch adds the whitespace globbing to the regexp and uses it to
|
|
||||||
prefix the sub-profile with the correct spacing.
|
|
||||||
|
|
||||||
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
|
|
||||||
|
|
||||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
||||||
---
|
|
||||||
utils/Immunix/AppArmor.pm | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/utils/Immunix/AppArmor.pm
|
|
||||||
+++ b/utils/Immunix/AppArmor.pm
|
|
||||||
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
|
|
||||||
if (open(PROFILE, "$filename")) {
|
|
||||||
if (open(NEWPROFILE, ">$filename.new")) {
|
|
||||||
while (<PROFILE>) {
|
|
||||||
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
|
||||||
- my ($binary, $flags) = ($1, $5);
|
|
||||||
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
|
||||||
+ my ($space, $binary, $flags) = ($1, $2, $6);
|
|
||||||
|
|
||||||
if ($newflags) {
|
|
||||||
- $_ = "$binary flags=($newflags) {\n";
|
|
||||||
+ $_ = "$space$binary flags=($newflags) {\n";
|
|
||||||
} else {
|
|
||||||
- $_ = "$binary {\n";
|
|
||||||
+ $_ = "$space$binary {\n";
|
|
||||||
}
|
|
||||||
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
|
||||||
my ($hat, $flags) = ($1, $2);
|
|
@ -1,35 +0,0 @@
|
|||||||
---
|
|
||||||
parser/parser_misc.c | 4 ++++
|
|
||||||
profiles/apparmor.d/sbin.klogd | 1 +
|
|
||||||
2 files changed, 5 insertions(+)
|
|
||||||
|
|
||||||
--- a/parser/parser_misc.c
|
|
||||||
+++ b/parser/parser_misc.c
|
|
||||||
@@ -129,6 +129,9 @@ static int get_table_token(const char *n
|
|
||||||
static struct keyword_table capability_table[] = {
|
|
||||||
/* capabilities */
|
|
||||||
#include "cap_names.h"
|
|
||||||
+#ifndef CAP_SYSLOG
|
|
||||||
+ {"syslog", 34},
|
|
||||||
+#endif
|
|
||||||
/* terminate */
|
|
||||||
{NULL, 0}
|
|
||||||
};
|
|
||||||
@@ -866,6 +869,7 @@ static const char *capnames[] = {
|
|
||||||
"audit_control",
|
|
||||||
"setfcap",
|
|
||||||
"mac_override"
|
|
||||||
+ "syslog",
|
|
||||||
};
|
|
||||||
|
|
||||||
const char *capability_to_name(unsigned int cap)
|
|
||||||
--- a/profiles/apparmor.d/sbin.klogd
|
|
||||||
+++ b/profiles/apparmor.d/sbin.klogd
|
|
||||||
@@ -15,6 +15,7 @@
|
|
||||||
#include <abstractions/base>
|
|
||||||
|
|
||||||
capability sys_admin,
|
|
||||||
+ capability syslog,
|
|
||||||
|
|
||||||
network inet stream,
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user