Accepting request 82045 from security:apparmor:factory
- update to AppArmor 2.7.0 beta1, for details see http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 - removed lots of patches I pushed upstream - disabled apparmor-2.5.1-unified-build (patch to use automake, does not apply to 2.7 and probably won't be accepted upstream) - disabled build of tomcat_apparmor (doesn't build, deprecated upstream) - run spec-cleaner - remove *.la files - move usr.sbin.nscd profile back to apparmor-profiles package - Update patch apparmor-profiles-usr.sbin.dnsmasq to include /var/lib/libvirt/dnsmasq/*.leases (bnc#694197). OBS-URL: https://build.opensuse.org/request/show/82045 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=22
This commit is contained in:
parent
2c3418e38e
commit
76467be0e2
@ -1,24 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profile: ntpd -N needs sys_nice
|
||||
References: bnc#657054
|
||||
|
||||
ntpd -N allows the administrator to increase or decrease priority of the
|
||||
ntp server. Since the profile doesn't allow it, the operation is denied.
|
||||
|
||||
This patch adds support for that operation.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/usr.sbin.ntpd | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.ntpd
|
||||
+++ b/profiles/apparmor.d/usr.sbin.ntpd
|
||||
@@ -24,6 +24,7 @@
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
capability sys_time,
|
||||
+ capability sys_nice,
|
||||
|
||||
network inet dgram,
|
||||
network inet stream,
|
@ -1,135 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profiles: Add openssl abstraction
|
||||
References: bnc#623886
|
||||
|
||||
Profiles that use openssl have been adding the openssl files piecemeal.
|
||||
|
||||
This patch creates a new openssl abstraction that can be inherited by
|
||||
all profiles that use it.
|
||||
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/abstractions/openssl | 4 ++++
|
||||
profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
|
||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
|
||||
8 files changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
--- /dev/null
|
||||
+++ b/profiles/apparmor.d/abstractions/openssl
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+ /etc/ssl/openssl.cnf r,
|
||||
+ /usr/share/ssl/openssl.cnf r,
|
||||
+
|
||||
--- a/profiles/apparmor.d/abstractions/ssl_certs
|
||||
+++ b/profiles/apparmor.d/abstractions/ssl_certs
|
||||
@@ -14,3 +14,7 @@
|
||||
/etc/ssl/certs/* r,
|
||||
/usr/share/ca-certificates/ r,
|
||||
/usr/share/ca-certificates/** r,
|
||||
+ /usr/share/ssl/certs/ca-bundle.crt r,
|
||||
+
|
||||
+ /usr/share/ca-certificates/mozilla/ r,
|
||||
+ /usr/share/ca-certificates/mozilla/* r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -38,7 +39,6 @@
|
||||
/etc/postfix/{ssl/,}*.pem r,
|
||||
/etc/postfix/prng_exch rw,
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
/etc/postfix/virtual.db r,
|
||||
/etc/postfix/sasl_passwd.db r,
|
||||
/etc/mtab r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -43,7 +44,6 @@
|
||||
/usr/lib/sasl2/* mr,
|
||||
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
|
||||
/{var/spool/postfix/,}pid/inet.* rw,
|
||||
/{var/spool/postfix/,}private/anvil w,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
@@ -83,7 +84,6 @@
|
||||
/usr/share/snmp/mibs r,
|
||||
/usr/share/snmp/mibs/*.{txt,mib} r,
|
||||
/usr/share/snmp/mibs/.index wr,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
/var/lock/httpd2.lock.* wl,
|
||||
/var/log/apache2/* rwl,
|
||||
/var/log/httpd/ssl_scache.dir r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r,
|
||||
/tmp/* rwl,
|
||||
/usr/sbin/imapd r,
|
||||
/usr/share/ssl/certs/imapd.pem r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
/usr/sbin/ipop2d rmix,
|
||||
/usr/share/ssl/certs/ipop2d.pem r ,
|
||||
- /usr/share/ssl/openssl.cnf r ,
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
/usr/sbin/ipop3d rmix,
|
||||
/usr/share/ssl/certs/ipop3d.pem r ,
|
||||
- /usr/share/ssl/openssl.cnf r ,
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: dhcpd: Fix apparmor profile
|
||||
References: bnc#692428
|
||||
|
||||
This patch adds the network rules needed, corrects the path to dhcpd.leases,
|
||||
and adds the path for TSIG DNS keys.
|
||||
|
||||
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
||||
@@ -21,12 +21,17 @@
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
+ network inet raw,
|
||||
+ network packet raw,
|
||||
+
|
||||
/db/dhcpd.leases* lrw,
|
||||
/etc/dhcpd.conf r,
|
||||
/etc/hosts.allow r,
|
||||
/etc/hosts.deny r,
|
||||
/usr/sbin/dhcpd rmix,
|
||||
- /var/lib/dhcp/dhcpd.leases* rwl,
|
||||
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
|
||||
/var/lib/dhcp/etc/dhcpd.conf r,
|
||||
/var/run/dhcpd.pid wl,
|
||||
+ /etc/named.d/* r,
|
||||
+ @{PROC}/net/dev r,
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915
|
||||
size 1242129
|
3
apparmor-2.7.beta1.tar.gz
Normal file
3
apparmor-2.7.beta1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3c2b2db7edae97dd4f5c24071a4ac8f006d2ade745161754efa4c2e58639c8d5
|
||||
size 1410143
|
@ -1,23 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Add check_for_apparmor helper.
|
||||
|
||||
This should be an alias but those get complicated quickly in perl.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/Immunix/AppArmor.pm | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -463,6 +463,10 @@ sub check_for_subdomain () {
|
||||
return $sd_mountpoint;
|
||||
}
|
||||
|
||||
+sub check_for_apparmor () {
|
||||
+ return check_for_subdomain();
|
||||
+}
|
||||
+
|
||||
sub which ($) {
|
||||
my $file = shift;
|
||||
|
@ -1,59 +0,0 @@
|
||||
---
|
||||
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
|
||||
@@ -16,20 +16,31 @@
|
||||
capability setuid,
|
||||
|
||||
/bin/bash ixr,
|
||||
+ /bin/cat ix,
|
||||
+
|
||||
+ /usr/bin/foomatic-rip ixr,
|
||||
+ /etc/foomatic/** r,
|
||||
+
|
||||
+ /usr/bin/gs ix,
|
||||
+ /usr/lib/ghostscript/** m,
|
||||
+ /usr/lib64/ghostscript/** m,
|
||||
+ /usr/share/ghostscript/** r,
|
||||
+ /etc/ghostscript/** r,
|
||||
+
|
||||
/dev/lp0 rw,
|
||||
/dev/tty rw,
|
||||
/dev/ttyS? w,
|
||||
/etc/cups rw,
|
||||
/etc/cups/ r,
|
||||
- /etc/cups/* r,
|
||||
+ /etc/cups/** r,
|
||||
/etc/cups/certs w,
|
||||
/etc/cups/certs/* w,
|
||||
- /etc/cups/classes.conf rw,
|
||||
- /etc/cups/cupsd.conf rw,
|
||||
+ /etc/cups/*.conf* rw,
|
||||
/etc/cups/ppd rw,
|
||||
+ /etc/printcap rw,
|
||||
/etc/cups/printcap rw,
|
||||
- /etc/cups/printers.conf rw,
|
||||
/etc/cups/ssl rw,
|
||||
+ /etc/cups/yes/* rw,
|
||||
/etc/hosts.allow r,
|
||||
/etc/hosts.deny r,
|
||||
/proc/meminfo r,
|
||||
@@ -39,11 +50,15 @@
|
||||
/usr/bin/smbspool ixr,
|
||||
/usr/lib/cups/backend/* ixr,
|
||||
/usr/lib/cups/filter/* ixr,
|
||||
- /usr/sbin/cupsd mr,
|
||||
+ /usr/sbin/cupsd mixr,
|
||||
/usr/share/cups/** r,
|
||||
/var/log/cups/access_log rw,
|
||||
/var/log/cups/error_log rw,
|
||||
/var/spool/cups rw,
|
||||
+ /var/spool/cups/** rw,
|
||||
/var/spool/cups/tmp w,
|
||||
/var/spool/cups/tmp/ r,
|
||||
+ /var/run/cups/** rw,
|
||||
+ /var/cache/cups/ rw,
|
||||
+ /var/cache/cups/** rw,
|
||||
}
|
@ -1,121 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profiles: update dhclient
|
||||
References: bnc#561152
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
|
||||
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
|
||||
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
|
||||
2 files changed, 61 insertions(+), 21 deletions(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
|
||||
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
|
||||
@@ -11,12 +11,12 @@
|
||||
# raw sockets, and thus cannot be confined with NetDomain
|
||||
#
|
||||
# Should these programs have their own domains?
|
||||
-# /bin/ps mixr,
|
||||
-# /sbin/arp rmix,
|
||||
-# /usr/bin/dig rmix,
|
||||
-# /usr/bin/uptime rmix,
|
||||
-# /usr/bin/vmstat rmix,
|
||||
-# /usr/bin/w rmix,
|
||||
+# /bin/ps mrix,
|
||||
+# /sbin/arp mrix,
|
||||
+# /usr/bin/dig mrix,
|
||||
+# /usr/bin/uptime mrix,
|
||||
+# /usr/bin/vmstat mrix,
|
||||
+# /usr/bin/w mrix,
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
@@ -24,25 +24,30 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
- /sbin/dhclient rmix,
|
||||
- /sbin/dhclient-script rmix,
|
||||
- /bin/bash rmix,
|
||||
- /bin/df rmix,
|
||||
+
|
||||
+ network packet packet,
|
||||
+ network packet raw,
|
||||
+
|
||||
+ /sbin/dhclient mrix,
|
||||
+
|
||||
+ /sbin/dhclient-script mrix,
|
||||
+ /bin/bash mrix,
|
||||
+ /bin/df mrix,
|
||||
/bin/netstat Px,
|
||||
- /bin/ps mixr,
|
||||
+ /bin/ps mrix,
|
||||
/dev/random r,
|
||||
/etc/dhclient.conf r,
|
||||
- @{PROC}/ r,
|
||||
- @{PROC}/interrupts r,
|
||||
- @{PROC}/net/dev r,
|
||||
- @{PROC}/rtc r,
|
||||
+ @{PROC}/ r,
|
||||
+ @{PROC}/interrupts r,
|
||||
+ @{PROC}/*/net/dev r,
|
||||
+ @{PROC}/rtc r,
|
||||
# following rule shouldn't work, self is a symlink
|
||||
- @{PROC}/self/status r,
|
||||
- /sbin/arp rmix,
|
||||
- /usr/bin/dig rmix,
|
||||
- /usr/bin/uptime rmix,
|
||||
- /usr/bin/vmstat rmix,
|
||||
- /usr/bin/w rmix,
|
||||
+ @{PROC}/self/status r,
|
||||
+ /sbin/arp mrix,
|
||||
+ /usr/bin/dig mrix,
|
||||
+ /usr/bin/uptime mrix,
|
||||
+ /usr/bin/vmstat mrix,
|
||||
+ /usr/bin/w mrix,
|
||||
/var/lib/dhcp/dhclient.leases rw,
|
||||
/var/lib/dhcp/dhclient-*.leases rw,
|
||||
/var/log/lastlog r,
|
||||
@@ -52,4 +57,18 @@
|
||||
/var/run/dhclient-*.pid rw,
|
||||
/var/spool r,
|
||||
/var/spool/mail r,
|
||||
+
|
||||
+ # This one will need to be fleshed out depending on what the user is doing
|
||||
+ /sbin/dhclient-script mrpx,
|
||||
+
|
||||
+ /bin/grep mrix,
|
||||
+ /bin/sleep mrix,
|
||||
+ /etc/sysconfig/network/dhcp r,
|
||||
+ /etc/sysconfig/network/scripts/functions.common r,
|
||||
+ /etc/sysconfig/network/scripts/functions r,
|
||||
+ /sbin/ip mrix,
|
||||
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
|
||||
+ /var/lib/dhcp/* rw,
|
||||
+ /var/run/nm-dhclient-*.conf r,
|
||||
+
|
||||
}
|
||||
--- /dev/null
|
||||
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
|
||||
@@ -0,0 +1,21 @@
|
||||
+# Last Modified: Tue Jan 25 16:48:30 2011
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+# dhclient-script will call plugins from /etc/netconfig.d, so this
|
||||
+# will need to be extended on a per-site basis.
|
||||
+
|
||||
+/sbin/dhclient-script {
|
||||
+ #include <abstractions/base>
|
||||
+ #include <abstractions/bash>
|
||||
+ #include <abstractions/consoles>
|
||||
+
|
||||
+ /bin/bash rix,
|
||||
+ /bin/grep rix,
|
||||
+ /bin/sleep rix,
|
||||
+ /bin/touch rix,
|
||||
+ /dev/.sysconfig/network/** r,
|
||||
+ /etc/netconfig.d/* mrix,
|
||||
+ /etc/sysconfig/network/** r,
|
||||
+ /sbin/dhclient-script r,
|
||||
+ /sbin/ip rix,
|
||||
+}
|
@ -1,38 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: Fix for sshd profile
|
||||
References: bnc#457072
|
||||
|
||||
Without this patch, sshd won't work in enforce mode.
|
||||
|
||||
libselinux accesses /proc/filesystems to determine if it's enabled
|
||||
bash won't execute
|
||||
audit_control is probably from libselinux too
|
||||
---
|
||||
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
||||
@@ -29,6 +29,8 @@
|
||||
capability kill,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
+ capability audit_control,
|
||||
+ capability sys_ptrace,
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/urandom r,
|
||||
@@ -43,11 +45,12 @@
|
||||
|
||||
@{PROC}/[0-9]*/fd/ r,
|
||||
@{PROC}/[0-9]*/loginuid w,
|
||||
+ @{PROC}/filesystems r,
|
||||
|
||||
# should only be here for use in non-change-hat openssh
|
||||
# duplicated from EXEC hat
|
||||
/bin/ash Ux,
|
||||
- /bin/bash Ux,
|
||||
+ /bin/bash rUx,
|
||||
/bin/bash2 Ux,
|
||||
/bin/bsh Ux,
|
||||
/bin/csh Ux,
|
@ -1,37 +0,0 @@
|
||||
---
|
||||
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/profiles/apparmor.d/sbin.syslog-ng
|
||||
+++ b/profiles/apparmor.d/sbin.syslog-ng
|
||||
@@ -19,12 +19,14 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
+ #include <abstractions/mysql>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability fsetid,
|
||||
capability fowner,
|
||||
capability sys_tty_config,
|
||||
+ capability sys_resource,
|
||||
|
||||
/dev/log w,
|
||||
/dev/syslog w,
|
||||
@@ -35,11 +37,14 @@
|
||||
/etc/hosts.deny r,
|
||||
/etc/hosts.allow r,
|
||||
/sbin/syslog-ng mr,
|
||||
+ /usr/share/syslog-ng/** r,
|
||||
# chrooted applications
|
||||
@{CHROOT_BASE}/var/lib/*/dev/log w,
|
||||
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
|
||||
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
|
||||
@{CHROOT_BASE}/var/log/** w,
|
||||
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
|
||||
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
|
||||
+ /var/run/syslog-ng/additional-log-sockets.conf r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/sbin.syslog-ng>
|
@ -1,33 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: dnsmasq: Profile fixes
|
||||
References: bnc#666090 bnc#678749
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
@@ -25,10 +25,12 @@
|
||||
/etc/dnsmasq.conf r,
|
||||
/etc/dnsmasq.d/ r,
|
||||
/etc/dnsmasq.d/* r,
|
||||
+ /etc/ethers r,
|
||||
|
||||
/usr/sbin/dnsmasq mr,
|
||||
|
||||
/var/run/*dnsmasq*.pid w,
|
||||
+ /var/run/dnsmasq-forwarders r,
|
||||
/var/run/dnsmasq/ r,
|
||||
/var/run/dnsmasq/* rw,
|
||||
|
||||
@@ -37,6 +39,8 @@
|
||||
# libvirt pid files for dnsmasq
|
||||
/var/run/libvirt/network/ r,
|
||||
/var/run/libvirt/network/*.pid rw,
|
||||
+ /var/lib/libvirt/dnsmasq/ r,
|
||||
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.dnsmasq>
|
@ -1,91 +0,0 @@
|
||||
---
|
||||
|
||||
parser/rc.aaeventd.suse | 2 +-
|
||||
parser/rc.apparmor.functions | 9 ++++-----
|
||||
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
|
||||
3 files changed, 27 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/parser/rc.aaeventd.suse
|
||||
+++ b/parser/rc.aaeventd.suse
|
||||
@@ -27,7 +27,7 @@
|
||||
### BEGIN INIT INFO
|
||||
# Provides: aaeventd
|
||||
# Required-Start: apparmor
|
||||
-# Required-Stop:
|
||||
+# Required-Stop: $null
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop:
|
||||
# Short-Description: AppArmor Notification and Reporting
|
||||
--- a/parser/rc.apparmor.functions
|
||||
+++ b/parser/rc.apparmor.functions
|
||||
@@ -108,9 +108,7 @@ is_apparmor_present() {
|
||||
# check for subdomainfs version of module
|
||||
grep -qE "^($modules)[[:space:]]" /proc/modules
|
||||
|
||||
- if [ $? -ne 0 ] ; then
|
||||
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
|
||||
- fi
|
||||
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
|
||||
|
||||
return $?
|
||||
}
|
||||
@@ -377,10 +375,11 @@ apparmor_start() {
|
||||
configure_owlsm
|
||||
|
||||
# if there is anything in the profiles file don't load
|
||||
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
|
||||
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
|
||||
parse_profiles load
|
||||
else
|
||||
- aa_log_skipped_msg "AppArmor already loaded with profiles."
|
||||
+ aa_log_skipped_msg ": already loaded with profiles."
|
||||
+ return 0
|
||||
fi
|
||||
aa_log_end_msg 0
|
||||
return 0
|
||||
--- a/parser/rc.apparmor.suse
|
||||
+++ b/parser/rc.apparmor.suse
|
||||
@@ -31,6 +31,7 @@
|
||||
# Required-Start: boot.cleanup
|
||||
# Required-Stop: $null
|
||||
# Should-Start: $local_fs
|
||||
+# Should-Stop: $null
|
||||
# Default-Start: B
|
||||
# Default-Stop:
|
||||
# Short-Description: AppArmor initialization
|
||||
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
|
||||
}
|
||||
|
||||
aa_log_failure_msg() {
|
||||
- log_failure_msg $*
|
||||
+ log_failure_msg '\n'$*
|
||||
+}
|
||||
+
|
||||
+aa_log_action_begin() {
|
||||
+ echo -n
|
||||
+}
|
||||
+
|
||||
+aa_log_action_end() {
|
||||
+ echo -n
|
||||
+}
|
||||
+
|
||||
+aa_log_daemon_msg() {
|
||||
+ echo -en "$@ "
|
||||
}
|
||||
|
||||
aa_log_skipped_msg() {
|
||||
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
|
||||
echo -e "$rc_skipped"
|
||||
}
|
||||
|
||||
+aa_log_end_msg() {
|
||||
+ v="-v"
|
||||
+ if [ "$1" != '0' ]; then
|
||||
+ rc="-v$1"
|
||||
+ fi
|
||||
+ rc_status $v
|
||||
+}
|
||||
+
|
||||
usage() {
|
||||
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
From: Federic Crozat <fcrozat@suse.com>
|
||||
Subkect: apparmor: Let systemd automount securityfs
|
||||
References: bnc#704460
|
||||
|
||||
Do not mount securityfs when running under systemd, just access
|
||||
the directory, systemd will automount it
|
||||
|
||||
---
|
||||
parser/rc.apparmor.functions | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/parser/rc.apparmor.functions
|
||||
+++ b/parser/rc.apparmor.functions
|
||||
@@ -295,7 +295,7 @@ is_apparmor_loaded() {
|
||||
}
|
||||
|
||||
is_securityfs_mounted() {
|
||||
- grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
||||
+ test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
||||
return $?
|
||||
}
|
||||
|
@ -1,18 +0,0 @@
|
||||
---
|
||||
parser/rc.aaeventd.suse | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/parser/rc.aaeventd.suse
|
||||
+++ b/parser/rc.aaeventd.suse
|
||||
@@ -78,9 +78,9 @@ usage() {
|
||||
|
||||
start_aa_event() {
|
||||
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
||||
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
|
||||
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
|
||||
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
||||
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
|
||||
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
|
||||
fi
|
||||
}
|
||||
|
@ -1,26 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Add support for creds and path operations
|
||||
References: bnc#564316
|
||||
|
||||
2.6.29 introduced the path security_operations and credentials
|
||||
|
||||
This patch adds support for those operations to the log parser.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/Immunix/AppArmor.pm | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) {
|
||||
""
|
||||
);
|
||||
}
|
||||
- } elsif ($e->{operation} =~ m/file_/) {
|
||||
+ } elsif ($e->{operation} =~ m/file_/ or
|
||||
+ # These are the path operations introduced in 2.6.29
|
||||
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
|
||||
add_to_tree( $e->{pid},
|
||||
$e->{parent},
|
||||
"path",
|
@ -1,36 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Fix handling of files in /
|
||||
References: bnc#397883
|
||||
|
||||
The separate handling of files and directories with realpath is broken.
|
||||
|
||||
For files e.g. /foo, $dir ends up being empty since the / is eaten by
|
||||
the regex. realpath resolves an empty argument as the current directory,
|
||||
resulting in an incorrect path.
|
||||
|
||||
There's no explanation of why the separate handling was used in the
|
||||
first place.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/Immunix/AppArmor.pm | 9 +--------
|
||||
1 file changed, 1 insertion(+), 8 deletions(-)
|
||||
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -553,14 +553,7 @@ sub get_full_path ($) {
|
||||
}
|
||||
}
|
||||
|
||||
- if (-f $path) {
|
||||
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
|
||||
- $path = realpath($dir) . "/$file";
|
||||
- } else {
|
||||
- $path = realpath($path);
|
||||
- }
|
||||
-
|
||||
- return $path;
|
||||
+ return realpath($path);
|
||||
}
|
||||
|
||||
sub findexecutable ($) {
|
@ -5,6 +5,13 @@ Subject: apparmor-utils: Add Immunix::SubDomain alias
|
||||
code.
|
||||
|
||||
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
Also patch utils/Makefile to actually install SubDomain.pm
|
||||
|
||||
The SubDomain compat module is only needed by openSUSE, therefore this patch
|
||||
will not be upstreamed.
|
||||
|
||||
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
|
||||
---
|
||||
|
||||
utils/Immunix/SubDomain.pm | 5 +++++
|
||||
@ -18,3 +25,14 @@ Acked-by: Jeff Mahoney <jeffm@suse.com>
|
||||
+use Immunix::AppArmor;
|
||||
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
|
||||
+1;
|
||||
--- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200
|
||||
+++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200
|
||||
@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut
|
||||
aa-unconfined aa-notify aa-disable
|
||||
TOOLS = ${PERLTOOLS} aa-decode aa-status
|
||||
MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
|
||||
- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm
|
||||
+ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm
|
||||
|
||||
MANPAGES = ${TOOLS:=.8} logprof.conf.5
|
||||
|
||||
|
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 13 18:47:36 UTC 2011 - opensuse@cboltz.de
|
||||
|
||||
- update to AppArmor 2.7.0 beta1, for details see
|
||||
http://wiki.apparmor.net/index.php/ReleaseNotes_2_7
|
||||
- removed lots of patches I pushed upstream
|
||||
- disabled apparmor-2.5.1-unified-build (patch to use automake,
|
||||
does not apply to 2.7 and probably won't be accepted upstream)
|
||||
- disabled build of tomcat_apparmor (doesn't build, deprecated upstream)
|
||||
- run spec-cleaner
|
||||
- remove *.la files
|
||||
- move usr.sbin.nscd profile back to apparmor-profiles package
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 7 10:35:12 MDT 2011 - jfehlig@suse.com
|
||||
|
||||
- Update patch apparmor-profiles-usr.sbin.dnsmasq to include
|
||||
/var/lib/libvirt/dnsmasq/*.leases (bnc#694197).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de
|
||||
|
||||
|
375
apparmor.spec
375
apparmor.spec
@ -15,9 +15,8 @@
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
# norootforbuild
|
||||
|
||||
%bcond_without tomcat
|
||||
%bcond_with tomcat
|
||||
%bcond_without pam
|
||||
%bcond_without apache
|
||||
%bcond_with python
|
||||
@ -44,60 +43,68 @@ Name: apparmor
|
||||
%if ! %{?distro:1}0
|
||||
%define distro suse
|
||||
%endif
|
||||
Summary: AppArmor userlevel parser utility
|
||||
Version: 2.6.1
|
||||
Version: 2.7.beta1
|
||||
Release: 1
|
||||
Summary: AppArmor userlevel parser utility
|
||||
%define versiondir 2.7.0~beta1
|
||||
Group: Productivity/Networking/Security
|
||||
Source0: apparmor-%{version}.tar.bz2
|
||||
Source0: apparmor-%{version}.tar.gz
|
||||
Source1: %{name}-profile-editor.png
|
||||
Source2: %{name}-profile-editor.desktop
|
||||
Source3: update-trans.sh
|
||||
|
||||
Patch1: apparmor-scripts
|
||||
Patch3: apparmor-utils-add-log-types
|
||||
Patch4: apparmor-utils-filenames-in-slash
|
||||
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||
Patch5: apparmor-utils-string-split
|
||||
Patch6: apparmor-profiles-cupsd-fix
|
||||
Patch7: apparmor-profiles-sshd-fix
|
||||
Patch8: apparmor-profiles-syslog-ng-fix
|
||||
Patch9: apparmor-startproc.patch
|
||||
|
||||
# use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream.
|
||||
Patch10: apparmor-2.5.1-unified-build
|
||||
# requires Patch10
|
||||
Patch11: apparmor-2.5.1-rpmlint-asprintf
|
||||
|
||||
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||
Patch12: apparmor-2.5.1-edirectory-profile
|
||||
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||
Patch13: apparmor-2.5.1-ldapclient-profile
|
||||
Patch14: genprof-whitespace-in-profile-fix
|
||||
|
||||
# obsolete, upstream implemented this in another way
|
||||
Patch15: apparmor-remove-repo
|
||||
Patch16: apparmor-2.5.1-ntpd-sys_nice
|
||||
Patch17: apparmor-2.5.1-ssl-fix
|
||||
Patch18: apparmor-profiles-usr.sbin.dnsmasq
|
||||
Patch19: klog-needs-CAP_SYSLOG
|
||||
Patch20: apparmor-profiles-dhclient
|
||||
|
||||
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
|
||||
Patch21: apparmor-utils-subdomain-compat
|
||||
Patch22: apparmor-securityfs-systemd.patch
|
||||
Patch23: apparmor-2.6.0-dhcpd
|
||||
Patch24: apparmor-compat-routines
|
||||
|
||||
License: GPLv2+
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Url: https://launchpad.net/apparmor
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if %{distro} == "suse"
|
||||
PreReq: %{insserv_prereq} aaa_base
|
||||
PreReq: %{insserv_prereq}
|
||||
PreReq: aaa_base
|
||||
%endif
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: pcre-devel
|
||||
%define apparmor_bin_prefix /lib/apparmor
|
||||
BuildRequires: bison flex latex2html w3m
|
||||
BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: latex2html
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: texlive-latex
|
||||
BuildRequires: w3m
|
||||
|
||||
# TODO: put also to Requires?
|
||||
BuildRequires: perl(Locale::gettext)
|
||||
BuildRequires: perl(RPC::XML)
|
||||
BuildRequires: perl(Term::ReadKey)
|
||||
|
||||
BuildRequires: swig
|
||||
|
||||
%if %{with python}
|
||||
BuildRequires: python-devel swig
|
||||
BuildRequires: python-devel
|
||||
BuildRequires: swig
|
||||
%endif
|
||||
|
||||
%if %{with ruby}
|
||||
BuildRequires: ruby-devel swig
|
||||
BuildRequires: ruby-devel
|
||||
BuildRequires: swig
|
||||
%endif
|
||||
|
||||
%if %{with apache}
|
||||
@ -105,11 +112,15 @@ BuildRequires: apache2-devel
|
||||
%endif
|
||||
|
||||
%if %{with tomcat}
|
||||
BuildRequires: ant java-devel >= 1.6.0 tomcat6
|
||||
BuildRequires: ant
|
||||
BuildRequires: java-devel >= 1.6.0
|
||||
BuildRequires: tomcat6
|
||||
%endif
|
||||
|
||||
%if %{with editor}
|
||||
BuildRequires: gcc-c++ update-desktop-files wxGTK-devel
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: update-desktop-files
|
||||
BuildRequires: wxGTK-devel
|
||||
%endif
|
||||
|
||||
%if %{with gnome}
|
||||
@ -121,7 +132,10 @@ BuildRequires: pkgconfig(libpanelapplet-2.0)
|
||||
%endif
|
||||
|
||||
%if %{with dbus}
|
||||
BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: libapparmor-devel
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: pkgconfig(dbus-1)
|
||||
%endif
|
||||
|
||||
%package parser
|
||||
@ -161,13 +175,6 @@ This package contains documentation for AppArmor.
|
||||
This package is part of a suite of tools that used to be named
|
||||
SubDomain.
|
||||
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
lcambell@novell.com
|
||||
Seth Arnold <seth.arnold@novell.com>
|
||||
|
||||
%if %{with apache}
|
||||
|
||||
%package -n apache2-mod_apparmor
|
||||
@ -185,15 +192,12 @@ SubDomain.
|
||||
|
||||
The documentation is in the apparmor-admin_en package.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
sbeattie@suse.de
|
||||
%endif
|
||||
|
||||
%package -n libapparmor1
|
||||
License: LGPLv2.1+
|
||||
Summary: Utility library for AppArmor
|
||||
Group: Development/Libraries/C and C++
|
||||
License: LGPLv2.1+
|
||||
%ifarch ppc64
|
||||
Obsoletes: libapparmor-64bit < %{version}
|
||||
Provides: libapparmor-64bit = ${version}
|
||||
@ -208,34 +212,26 @@ This package provides the libapparmor library, which contains the
|
||||
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
|
||||
well as functions to parse AppArmor log messages.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%package -n libapparmor-devel
|
||||
License: LGPLv2.1+
|
||||
Requires: libapparmor1 = %{version}-%{release}
|
||||
Group: Development/Libraries/C and C++
|
||||
Provides: libapparmor:/usr/include/sys/apparmor.h
|
||||
Summary: Development headers and libraries for libapparmor
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libapparmor1 = %{version}
|
||||
Provides: libapparmor:/usr/include/sys/apparmor.h
|
||||
|
||||
%description -n libapparmor-devel
|
||||
These libraries are needed for developing software that makes use of the
|
||||
AppArmor API.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%package -n perl-apparmor
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Summary: Perl interface for libapparmor functions
|
||||
Group: Development/Libraries/Perl
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: perl = %{perl_version}
|
||||
Requires: perl(Term::ReadKey) perl(DBD::SQLite) perl(RPC::XML)
|
||||
Group: Development/Libraries/Perl
|
||||
Summary: Perl interface for libapparmor functions
|
||||
Requires: perl(DBD::SQLite)
|
||||
Requires: perl(RPC::XML)
|
||||
Requires: perl(Term::ReadKey)
|
||||
Provides: perl-libapparmor
|
||||
Obsoletes: perl-libapparmor < 2.5
|
||||
|
||||
@ -243,20 +239,15 @@ Obsoletes: perl-libapparmor < 2.5
|
||||
This package provides the perl interface to AppArmor. It is used for perl
|
||||
applications interfacing with AppArmor, including the AppArmor utilities.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%if %{with python}
|
||||
|
||||
%package -n python-apparmor
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Requires: libapparmor1 = %{version}
|
||||
BuildRequires: python
|
||||
Requires: python = %{python_version}
|
||||
Group: Development/Libraries/Python
|
||||
Summary: Python interface for libapparmor functions
|
||||
Group: Development/Libraries/Python
|
||||
BuildRequires: python
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: python = %{python_version}
|
||||
Provides: python-libapparmor
|
||||
Obsoletes: python-libapparmor < 2.5
|
||||
|
||||
@ -264,20 +255,16 @@ Obsoletes: python-libapparmor < 2.5
|
||||
This package provides the python interface to AppArmor. It is used for python
|
||||
applications interfacing with AppArmor.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
%endif
|
||||
|
||||
%if %{with ruby}
|
||||
|
||||
%package -n ruby-apparmor
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Summary: Ruby interface for libapparmor functions
|
||||
Group: Development/Libraries/Ruby
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: ruby = %{ruby_version}
|
||||
Group: Development/Libraries/Ruby
|
||||
Summary: Ruby interface for libapparmor functions
|
||||
Provides: ruby-libapparmor
|
||||
Obsoletes: ruby-libapparmor < 2.5
|
||||
|
||||
@ -285,19 +272,15 @@ Obsoletes: ruby-libapparmor < 2.5
|
||||
This package provides the ruby interface to AppArmor. It is used for ruby
|
||||
applications interfacing with AppArmor.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
%endif
|
||||
|
||||
%package profiles
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Summary: AppArmor profiles that are loaded into the apparmor kernel module
|
||||
Group: Productivity/Security
|
||||
Requires: apparmor-parser(CAP_SYSLOG)
|
||||
Obsoletes: subdomain-profiles < %{version}
|
||||
Provides: subdomain-profiles = %{version}
|
||||
Requires: apparmor-parser(CAP_SYSLOG)
|
||||
BuildArch: noarch
|
||||
|
||||
%description profiles
|
||||
@ -309,18 +292,12 @@ vulnerabilities.
|
||||
This package is part of a suite of tools that used to be named
|
||||
SubDomain.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
seth.arnold@suse.de
|
||||
sbeattie@suse.de
|
||||
jjohansen@suse.de
|
||||
|
||||
%package utils
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
|
||||
Group: Productivity/Security
|
||||
Requires: perl = %{perl_version}
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: perl = %{perl_version}
|
||||
Requires: perl-apparmor = %{version}
|
||||
BuildArch: noarch
|
||||
|
||||
@ -331,18 +308,14 @@ Besides it provides the aa-unconfined server information tool and the
|
||||
aa-eventd event reporting system. It is part of a suite of tools that
|
||||
used to be named SubDomain.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
jmichael@suse.de
|
||||
seth.arnold@suse.de
|
||||
|
||||
%if %{with tomcat}
|
||||
|
||||
%package -n tomcat_apparmor
|
||||
License: GPLv2 ; LGPLv2.1+
|
||||
Summary: Tomcat 6 plugin for AppArmor change_hat
|
||||
Group: System/Libraries
|
||||
Requires: libapparmor1 = %{version} tomcat6
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: tomcat6
|
||||
|
||||
%description -n tomcat_apparmor
|
||||
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
|
||||
@ -351,9 +324,6 @@ containers that are bound to discrete elements of processing within the
|
||||
Tomcat servlet container. The AppArmor containers, or "hats", can be
|
||||
created for individual URL processing or per servlet.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
dreynolds@suse.de
|
||||
%endif
|
||||
|
||||
%if %{with pam}
|
||||
@ -363,8 +333,10 @@ License: GPLv2 ; LGPLv2.1+
|
||||
Summary: PAM module for AppArmor change_hat
|
||||
Group: Productivity/Security
|
||||
BuildRequires: pam-devel
|
||||
Requires: pam pam-config
|
||||
PreReq: pam pam-config
|
||||
PreReq: pam
|
||||
PreReq: pam-config
|
||||
Requires: pam
|
||||
Requires: pam-config
|
||||
|
||||
%description -n pam_apparmor
|
||||
The pam_apparmor module provides the means for any PAM applications
|
||||
@ -372,11 +344,6 @@ that call pam_open_session() to automatically perform an AppArmor
|
||||
change_hat operation in order to switch to a user-specific security
|
||||
policy.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
jmichael@suse.de
|
||||
sbeattie@suse.de
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with dbus}
|
||||
@ -390,10 +357,6 @@ Group: System/Monitoring
|
||||
An audit dispatcher for sending AppArmor events over the DBUS system
|
||||
bus.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with editor}
|
||||
@ -406,10 +369,6 @@ Group: Productivity/Editors/Other
|
||||
%description profile-editor
|
||||
A syntax highlighting editor for AppArmor profiles.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with gnome}
|
||||
@ -423,11 +382,6 @@ Group: System/GUI/GNOME
|
||||
This taskbar applet receives AppArmor events over DBUS, and notifies
|
||||
the user when AppArmor prevents an application from functioning.
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Matt Barringer <mbarringer@suse.de>
|
||||
|
||||
%endif
|
||||
|
||||
%description
|
||||
@ -444,37 +398,25 @@ SubDomain.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%patch1 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%setup -q -n %{name}-%{versiondir}
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
#%patch10 -p1 # disabled, see above
|
||||
#%patch11 -p1 # disabled, see above
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
#%patch15 -p1 # obsolete, see above
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
autoreconf -fiv
|
||||
# re-define _libdir to /lib or /lib64
|
||||
%define _libdir /%{_lib}
|
||||
%configure --disable-static --with-pic \
|
||||
--with-perl \
|
||||
|
||||
# libapparmor:
|
||||
(
|
||||
cd ./libraries/libapparmor
|
||||
sh ./autogen.sh
|
||||
%configure --with-perl \
|
||||
%if %{with python}
|
||||
--with-python \
|
||||
%else
|
||||
@ -485,38 +427,49 @@ autoreconf -fiv
|
||||
%else
|
||||
--without-ruby \
|
||||
%endif
|
||||
%if %{with tomcat}
|
||||
--with-tomcat \
|
||||
%else
|
||||
--without-tomcat \
|
||||
%endif
|
||||
%if %{with pam}
|
||||
--with-pam \
|
||||
%else
|
||||
--without-pam \
|
||||
%endif
|
||||
|
||||
make
|
||||
#make check
|
||||
)
|
||||
|
||||
# Utilities:
|
||||
make -C utils
|
||||
# make -C utils check
|
||||
|
||||
# parser:
|
||||
make -C parser
|
||||
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
|
||||
make -C parser techdoc.txt
|
||||
# make -C parser check
|
||||
|
||||
# Apache mod_apparmor:
|
||||
%if %{with apache}
|
||||
--with-apache \
|
||||
%else
|
||||
--without-apache \
|
||||
%endif
|
||||
%if %{with gnome}
|
||||
--with-gnome \
|
||||
%else
|
||||
--without-gnome \
|
||||
%endif
|
||||
%if %{with dbus}
|
||||
--with-dbus \
|
||||
%else
|
||||
--without-dbus \
|
||||
%endif
|
||||
%if %{with editor}
|
||||
--with-profileeditor \
|
||||
%else
|
||||
--without-profileeditor \
|
||||
make -C changehat/mod_apparmor
|
||||
%endif
|
||||
|
||||
%{__make} %{?jobs:-j%jobs}
|
||||
# PAM AppArmor:
|
||||
%if %{with pam}
|
||||
make -C changehat/pam_apparmor
|
||||
%endif
|
||||
|
||||
# Profiles:
|
||||
make -C profiles
|
||||
# make -C profiles check
|
||||
|
||||
##configure --disable-static --with-pic \
|
||||
#--with-perl \
|
||||
%if %{with tomcat}
|
||||
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||
%endif
|
||||
%if %{with gnome}
|
||||
#--with-gnome \
|
||||
%endif
|
||||
%if %{with dbus}
|
||||
#--with-dbus \
|
||||
%endif
|
||||
%if %{with editor}
|
||||
#--with-profileeditor \
|
||||
%endif
|
||||
|
||||
%if %{with ruby}
|
||||
#rm libraries/libapparmor/swig/ruby/Makefile.ruby
|
||||
@ -524,23 +477,37 @@ autoreconf -fiv
|
||||
%endif
|
||||
|
||||
%install
|
||||
%{make_install}
|
||||
|
||||
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
|
||||
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
|
||||
|
||||
# libapparmor
|
||||
%makeinstall -C libraries/libapparmor
|
||||
# create symlink for old change_hat(2) manpage
|
||||
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
|
||||
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
|
||||
|
||||
mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d
|
||||
install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor
|
||||
install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd
|
||||
ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
|
||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
|
||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
|
||||
# utilities
|
||||
%makeinstall -C utils VENDOR_PERL=%{perl_vendorlib}
|
||||
mkdir -p %{buildroot}/var/log/apparmor
|
||||
|
||||
%makeinstall -C parser
|
||||
|
||||
%if %{with apache}
|
||||
%makeinstall -C changehat/mod_apparmor
|
||||
%endif
|
||||
|
||||
%if %{with pam}
|
||||
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
|
||||
%endif
|
||||
|
||||
%makeinstall -C profiles
|
||||
|
||||
%if %{with tomcat}
|
||||
mkdir -p %{buildroot}/%{CATALINA_HOME}
|
||||
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
|
||||
%endif
|
||||
|
||||
find %{buildroot} -name .packlist -exec rm -f {} \;
|
||||
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
|
||||
|
||||
# Re-create the links to the old names
|
||||
for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
|
||||
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
|
||||
d=$(dirname $file)
|
||||
f=$(basename $file)
|
||||
if [ "${f#aa-}" != "$f" ]; then
|
||||
@ -548,9 +515,9 @@ for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
|
||||
fi
|
||||
done
|
||||
|
||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8}
|
||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8}
|
||||
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8
|
||||
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
|
||||
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
|
||||
rm -f %{buildroot}%{_mandir}/man8/decode.8
|
||||
|
||||
%if %{with editor}
|
||||
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
|
||||
@ -564,11 +531,17 @@ for pkg in apparmor-utils apparmor-parser; do
|
||||
%find_lang $pkg
|
||||
done
|
||||
|
||||
# Clean up profiles that are provided by other packages now
|
||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd
|
||||
# remove *.la files
|
||||
rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
echo -------------------------------------------------------------------
|
||||
find -ls
|
||||
echo -------------------------------------------------------------------
|
||||
head -n1000 *.lang
|
||||
echo -------------------------------------------------------------------
|
||||
echo -------------------------------------------------------------------
|
||||
find %{buildroot} -ls
|
||||
echo -------------------------------------------------------------------
|
||||
|
||||
%files docs
|
||||
%defattr(-,root,root)
|
||||
@ -612,10 +585,11 @@ fi
|
||||
|
||||
%files -n libapparmor1
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libapparmor.la
|
||||
%{_libdir}/libimmunix.la
|
||||
%{_libdir}/libapparmor.so*
|
||||
%{_libdir}/libimmunix.so*
|
||||
# not sure about the correct package for *.a files...
|
||||
%{_libdir}/libapparmor.a
|
||||
%{_libdir}/libimmunix.a
|
||||
|
||||
%files -n libapparmor-devel
|
||||
%defattr(-,root,root)
|
||||
@ -623,22 +597,22 @@ fi
|
||||
%{_libdir}/libimmunix.so
|
||||
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
||||
%doc %{_mandir}/man2/change_hat.2.gz
|
||||
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
|
||||
%doc %{_mandir}/man2/aa_getcon.2.gz
|
||||
%dir %{_includedir}/aalogparse
|
||||
%{_includedir}/sys/apparmor.h
|
||||
%{_includedir}/aalogparse/*
|
||||
|
||||
# hrm, still need to enumerate each directory in these paths in files :(
|
||||
%define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
|
||||
%define profiles_dir %{_sysconfdir}/apparmor.d/
|
||||
# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
|
||||
# %define profiles_dir %{_sysconfdir}/apparmor.d/
|
||||
|
||||
%files profiles
|
||||
%defattr(-,root,root)
|
||||
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
|
||||
%attr(644, root, root) %{extras_dir}/*
|
||||
%dir %{_sysconfdir}/apparmor.d/
|
||||
%defattr(644,root,root,755)
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/
|
||||
%dir %{_sysconfdir}/apparmor/
|
||||
%dir %{_sysconfdir}/apparmor/profiles
|
||||
%dir %{_sysconfdir}/apparmor/profiles/extras
|
||||
%config %{_sysconfdir}/apparmor/profiles/extras/
|
||||
|
||||
%files utils
|
||||
%defattr(-,root,root)
|
||||
@ -657,6 +631,7 @@ fi
|
||||
%doc %{_mandir}/man8/audit.8.gz
|
||||
%doc %{_mandir}/man8/autodep.8.gz
|
||||
%doc %{_mandir}/man8/complain.8.gz
|
||||
%doc %{_mandir}/man8/disable.8.gz
|
||||
%doc %{_mandir}/man8/enforce.8.gz
|
||||
%doc %{_mandir}/man8/genprof.8.gz
|
||||
%doc %{_mandir}/man8/logprof.8.gz
|
||||
@ -669,8 +644,7 @@ fi
|
||||
%files -n perl-apparmor
|
||||
%defattr(-,root,root)
|
||||
%{perl_vendorlib}/Immunix
|
||||
%dir %{perl_vendorarch}/auto/LibAppArmor
|
||||
%{perl_vendorarch}/auto/LibAppArmor/*
|
||||
%{perl_vendorarch}/auto/LibAppArmor/
|
||||
%{perl_vendorarch}/LibAppArmor.pm
|
||||
|
||||
%if %{with python}
|
||||
@ -693,7 +667,6 @@ fi
|
||||
%files -n pam_apparmor
|
||||
%defattr(444,root,root,755)
|
||||
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
|
||||
%attr(555,root,root) %{_libdir}/security/pam_apparmor.la
|
||||
%endif
|
||||
|
||||
%if %{with tomcat}
|
||||
@ -729,9 +702,9 @@ fi
|
||||
%{_bindir}/profileeditor
|
||||
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
|
||||
%if 0
|
||||
%{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb
|
||||
%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb
|
||||
%endif
|
||||
%dir %{_prefix}/share/doc/profileeditor
|
||||
%dir %{_datadir}/doc/profileeditor
|
||||
%endif
|
||||
|
||||
%if %{with gnome}
|
||||
|
@ -1,39 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: setprofileflags() drops leading whitespace
|
||||
References: bnc#480795
|
||||
|
||||
setprofileflags() drops leading whitespace for subprofiles. writeheader()
|
||||
properly indents subprofiles 2 spaces per nesting level but when
|
||||
genprof sets the profile to enforce mode at completion, the whitespace
|
||||
is removed.
|
||||
|
||||
This patch adds the whitespace globbing to the regexp and uses it to
|
||||
prefix the sub-profile with the correct spacing.
|
||||
|
||||
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/Immunix/AppArmor.pm | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
|
||||
if (open(PROFILE, "$filename")) {
|
||||
if (open(NEWPROFILE, ">$filename.new")) {
|
||||
while (<PROFILE>) {
|
||||
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
||||
- my ($binary, $flags) = ($1, $5);
|
||||
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
||||
+ my ($space, $binary, $flags) = ($1, $2, $6);
|
||||
|
||||
if ($newflags) {
|
||||
- $_ = "$binary flags=($newflags) {\n";
|
||||
+ $_ = "$space$binary flags=($newflags) {\n";
|
||||
} else {
|
||||
- $_ = "$binary {\n";
|
||||
+ $_ = "$space$binary {\n";
|
||||
}
|
||||
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
|
||||
my ($hat, $flags) = ($1, $2);
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
parser/parser_misc.c | 4 ++++
|
||||
profiles/apparmor.d/sbin.klogd | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
--- a/parser/parser_misc.c
|
||||
+++ b/parser/parser_misc.c
|
||||
@@ -129,6 +129,9 @@ static int get_table_token(const char *n
|
||||
static struct keyword_table capability_table[] = {
|
||||
/* capabilities */
|
||||
#include "cap_names.h"
|
||||
+#ifndef CAP_SYSLOG
|
||||
+ {"syslog", 34},
|
||||
+#endif
|
||||
/* terminate */
|
||||
{NULL, 0}
|
||||
};
|
||||
@@ -866,6 +869,7 @@ static const char *capnames[] = {
|
||||
"audit_control",
|
||||
"setfcap",
|
||||
"mac_override"
|
||||
+ "syslog",
|
||||
};
|
||||
|
||||
const char *capability_to_name(unsigned int cap)
|
||||
--- a/profiles/apparmor.d/sbin.klogd
|
||||
+++ b/profiles/apparmor.d/sbin.klogd
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <abstractions/base>
|
||||
|
||||
capability sys_admin,
|
||||
+ capability syslog,
|
||||
|
||||
network inet stream,
|
||||
|
Loading…
Reference in New Issue
Block a user