Accepting request 82045 from security:apparmor:factory

- update to AppArmor 2.7.0 beta1, for details see 
  http://wiki.apparmor.net/index.php/ReleaseNotes_2_7
- removed lots of patches I pushed upstream
- disabled apparmor-2.5.1-unified-build (patch to use automake,
  does not apply to 2.7 and probably won't be accepted upstream)
- disabled build of tomcat_apparmor (doesn't build, deprecated upstream)
- run spec-cleaner
- remove *.la files
- move usr.sbin.nscd profile back to apparmor-profiles package

- Update patch apparmor-profiles-usr.sbin.dnsmasq to include
  /var/lib/libvirt/dnsmasq/*.leases (bnc#694197).

OBS-URL: https://build.opensuse.org/request/show/82045
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=22
This commit is contained in:
Sascha Peilicke 2011-09-14 11:56:46 +00:00 committed by Git OBS Bridge
parent 2c3418e38e
commit 76467be0e2
21 changed files with 220 additions and 981 deletions

View File

@ -1,24 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054
ntpd -N allows the administrator to increase or decrease priority of the
ntp server. Since the profile doesn't allow it, the operation is denied.
This patch adds support for that operation.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.ntpd | 1 +
1 file changed, 1 insertion(+)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -24,6 +24,7 @@
capability sys_chroot,
capability sys_resource,
capability sys_time,
+ capability sys_nice,
network inet dgram,
network inet stream,

View File

@ -1,135 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886
Profiles that use openssl have been adding the openssl files piecemeal.
This patch creates a new openssl abstraction that can be inherited by
all profiles that use it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/abstractions/openssl | 4 ++++
profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
8 files changed, 14 insertions(+), 6 deletions(-)
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -0,0 +1,4 @@
+
+ /etc/ssl/openssl.cnf r,
+ /usr/share/ssl/openssl.cnf r,
+
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -14,3 +14,7 @@
/etc/ssl/certs/* r,
/usr/share/ca-certificates/ r,
/usr/share/ca-certificates/** r,
+ /usr/share/ssl/certs/ca-bundle.crt r,
+
+ /usr/share/ca-certificates/mozilla/ r,
+ /usr/share/ca-certificates/mozilla/* r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -15,6 +15,7 @@
#include <abstractions/nameservice>
#include <abstractions/kerberosclient>
#include <program-chunks/postfix-common>
+ #include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
@@ -38,7 +39,6 @@
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/share/ssl/openssl.cnf r,
/etc/postfix/virtual.db r,
/etc/postfix/sasl_passwd.db r,
/etc/mtab r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -15,6 +15,7 @@
#include <abstractions/nameservice>
#include <abstractions/kerberosclient>
#include <program-chunks/postfix-common>
+ #include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
@@ -43,7 +44,6 @@
/usr/lib/sasl2/* mr,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/share/ssl/openssl.cnf r,
/{var/spool/postfix/,}pid/inet.* rw,
/{var/spool/postfix/,}private/anvil w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
@@ -17,6 +17,7 @@
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/perl>
+ #include <abstractions/openssl>
capability kill,
capability net_bind_service,
@@ -83,7 +84,6 @@
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
/usr/share/snmp/mibs/.index wr,
- /usr/share/ssl/openssl.cnf r,
/var/lock/httpd2.lock.* wl,
/var/log/apache2/* rwl,
/var/log/httpd/ssl_scache.dir r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>
+ #include <abstractions/openssl>
/dev/urandom r,
/tmp/* rwl,
/usr/sbin/imapd r,
/usr/share/ssl/certs/imapd.pem r,
- /usr/share/ssl/openssl.cnf r,
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>
+ #include <abstractions/openssl>
/dev/urandom r ,
/tmp/.* rwl ,
/usr/sbin/ipop2d rmix,
/usr/share/ssl/certs/ipop2d.pem r ,
- /usr/share/ssl/openssl.cnf r ,
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>
+ #include <abstractions/openssl>
/dev/urandom r ,
/tmp/.* rwl ,
/usr/sbin/ipop3d rmix,
/usr/share/ssl/certs/ipop3d.pem r ,
- /usr/share/ssl/openssl.cnf r ,
}

View File

@ -1,34 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428
This patch adds the network rules needed, corrects the path to dhcpd.leases,
and adds the path for TSIG DNS keys.
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
@@ -21,12 +21,17 @@
capability setuid,
capability sys_chroot,
+ network inet raw,
+ network packet raw,
+
/db/dhcpd.leases* lrw,
/etc/dhcpd.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/usr/sbin/dhcpd rmix,
- /var/lib/dhcp/dhcpd.leases* rwl,
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
/var/lib/dhcp/etc/dhcpd.conf r,
/var/run/dhcpd.pid wl,
+ /etc/named.d/* r,
+ @{PROC}/net/dev r,
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915
size 1242129

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3c2b2db7edae97dd4f5c24071a4ac8f006d2ade745161754efa4c2e58639c8d5
size 1410143

View File

@ -1,23 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add check_for_apparmor helper.
This should be an alias but those get complicated quickly in perl.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 4 ++++
1 file changed, 4 insertions(+)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -463,6 +463,10 @@ sub check_for_subdomain () {
return $sd_mountpoint;
}
+sub check_for_apparmor () {
+ return check_for_subdomain();
+}
+
sub which ($) {
my $file = shift;

View File

@ -1,59 +0,0 @@
---
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -16,20 +16,31 @@
capability setuid,
/bin/bash ixr,
+ /bin/cat ix,
+
+ /usr/bin/foomatic-rip ixr,
+ /etc/foomatic/** r,
+
+ /usr/bin/gs ix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/share/ghostscript/** r,
+ /etc/ghostscript/** r,
+
/dev/lp0 rw,
/dev/tty rw,
/dev/ttyS? w,
/etc/cups rw,
/etc/cups/ r,
- /etc/cups/* r,
+ /etc/cups/** r,
/etc/cups/certs w,
/etc/cups/certs/* w,
- /etc/cups/classes.conf rw,
- /etc/cups/cupsd.conf rw,
+ /etc/cups/*.conf* rw,
/etc/cups/ppd rw,
+ /etc/printcap rw,
/etc/cups/printcap rw,
- /etc/cups/printers.conf rw,
/etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/proc/meminfo r,
@@ -39,11 +50,15 @@
/usr/bin/smbspool ixr,
/usr/lib/cups/backend/* ixr,
/usr/lib/cups/filter/* ixr,
- /usr/sbin/cupsd mr,
+ /usr/sbin/cupsd mixr,
/usr/share/cups/** r,
/var/log/cups/access_log rw,
/var/log/cups/error_log rw,
/var/spool/cups rw,
+ /var/spool/cups/** rw,
/var/spool/cups/tmp w,
/var/spool/cups/tmp/ r,
+ /var/run/cups/** rw,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
}

View File

@ -1,121 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 61 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -11,12 +11,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include <tunables/global>
@@ -24,25 +24,30 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+ network packet raw,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -52,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include <tunables/global>
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}

View File

@ -1,38 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
---
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -29,6 +29,8 @@
capability kill,
capability setgid,
capability setuid,
+ capability audit_control,
+ capability sys_ptrace,
/dev/ptmx rw,
/dev/urandom r,
@@ -43,11 +45,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
+ @{PROC}/filesystems r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash Ux,
- /bin/bash Ux,
+ /bin/bash rUx,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,

View File

@ -1,37 +0,0 @@
---
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -19,12 +19,14 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
+ #include <abstractions/mysql>
capability chown,
capability dac_override,
capability fsetid,
capability fowner,
capability sys_tty_config,
+ capability sys_resource,
/dev/log w,
/dev/syslog w,
@@ -35,11 +37,14 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.syslog-ng>

View File

@ -1,33 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
1 file changed, 4 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -25,10 +25,12 @@
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
+ /etc/ethers r,
/usr/sbin/dnsmasq mr,
/var/run/*dnsmasq*.pid w,
+ /var/run/dnsmasq-forwarders r,
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
@@ -37,6 +39,8 @@
# libvirt pid files for dnsmasq
/var/run/libvirt/network/ r,
/var/run/libvirt/network/*.pid rw,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.dnsmasq>

View File

@ -1,91 +0,0 @@
---
parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 9 ++++-----
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 27 insertions(+), 7 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -27,7 +27,7 @@
### BEGIN INIT INFO
# Provides: aaeventd
# Required-Start: apparmor
-# Required-Stop:
+# Required-Stop: $null
# Default-Start: 2 3 5
# Default-Stop:
# Short-Description: AppArmor Notification and Reporting
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -108,9 +108,7 @@ is_apparmor_present() {
# check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules
- if [ $? -ne 0 ] ; then
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
- fi
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
return $?
}
@@ -377,10 +375,11 @@ apparmor_start() {
configure_owlsm
# if there is anything in the profiles file don't load
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
parse_profiles load
else
- aa_log_skipped_msg "AppArmor already loaded with profiles."
+ aa_log_skipped_msg ": already loaded with profiles."
+ return 0
fi
aa_log_end_msg 0
return 0
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -31,6 +31,7 @@
# Required-Start: boot.cleanup
# Required-Stop: $null
# Should-Start: $local_fs
+# Should-Stop: $null
# Default-Start: B
# Default-Stop:
# Short-Description: AppArmor initialization
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
}
aa_log_failure_msg() {
- log_failure_msg $*
+ log_failure_msg '\n'$*
+}
+
+aa_log_action_begin() {
+ echo -n
+}
+
+aa_log_action_end() {
+ echo -n
+}
+
+aa_log_daemon_msg() {
+ echo -en "$@ "
}
aa_log_skipped_msg() {
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
echo -e "$rc_skipped"
}
+aa_log_end_msg() {
+ v="-v"
+ if [ "$1" != '0' ]; then
+ rc="-v$1"
+ fi
+ rc_status $v
+}
+
usage() {
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
}

View File

@ -1,22 +0,0 @@
From: Federic Crozat <fcrozat@suse.com>
Subkect: apparmor: Let systemd automount securityfs
References: bnc#704460
Do not mount securityfs when running under systemd, just access
the directory, systemd will automount it
---
parser/rc.apparmor.functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -295,7 +295,7 @@ is_apparmor_loaded() {
}
is_securityfs_mounted() {
- grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
+ test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
return $?
}

View File

@ -1,18 +0,0 @@
---
parser/rc.aaeventd.suse | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -78,9 +78,9 @@ usage() {
start_aa_event() {
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
fi
}

View File

@ -1,26 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) {
""
);
}
- } elsif ($e->{operation} =~ m/file_/) {
+ } elsif ($e->{operation} =~ m/file_/ or
+ # These are the path operations introduced in 2.6.29
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
add_to_tree( $e->{pid},
$e->{parent},
"path",

View File

@ -1,36 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Fix handling of files in /
References: bnc#397883
The separate handling of files and directories with realpath is broken.
For files e.g. /foo, $dir ends up being empty since the / is eaten by
the regex. realpath resolves an empty argument as the current directory,
resulting in an incorrect path.
There's no explanation of why the separate handling was used in the
first place.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -553,14 +553,7 @@ sub get_full_path ($) {
}
}
- if (-f $path) {
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
- $path = realpath($dir) . "/$file";
- } else {
- $path = realpath($path);
- }
-
- return $path;
+ return realpath($path);
}
sub findexecutable ($) {

View File

@ -5,6 +5,13 @@ Subject: apparmor-utils: Add Immunix::SubDomain alias
code.
Acked-by: Jeff Mahoney <jeffm@suse.com>
Also patch utils/Makefile to actually install SubDomain.pm
The SubDomain compat module is only needed by openSUSE, therefore this patch
will not be upstreamed.
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
---
utils/Immunix/SubDomain.pm | 5 +++++
@ -18,3 +25,14 @@ Acked-by: Jeff Mahoney <jeffm@suse.com>
+use Immunix::AppArmor;
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
+1;
--- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200
+++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200
@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut
aa-unconfined aa-notify aa-disable
TOOLS = ${PERLTOOLS} aa-decode aa-status
MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm
+ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm
MANPAGES = ${TOOLS:=.8} logprof.conf.5

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Tue Sep 13 18:47:36 UTC 2011 - opensuse@cboltz.de
- update to AppArmor 2.7.0 beta1, for details see
http://wiki.apparmor.net/index.php/ReleaseNotes_2_7
- removed lots of patches I pushed upstream
- disabled apparmor-2.5.1-unified-build (patch to use automake,
does not apply to 2.7 and probably won't be accepted upstream)
- disabled build of tomcat_apparmor (doesn't build, deprecated upstream)
- run spec-cleaner
- remove *.la files
- move usr.sbin.nscd profile back to apparmor-profiles package
-------------------------------------------------------------------
Wed Sep 7 10:35:12 MDT 2011 - jfehlig@suse.com
- Update patch apparmor-profiles-usr.sbin.dnsmasq to include
/var/lib/libvirt/dnsmasq/*.leases (bnc#694197).
-------------------------------------------------------------------
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de

View File

@ -15,9 +15,8 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
%bcond_without tomcat
%bcond_with tomcat
%bcond_without pam
%bcond_without apache
%bcond_with python
@ -44,60 +43,68 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Summary: AppArmor userlevel parser utility
Version: 2.6.1
Version: 2.7.beta1
Release: 1
Summary: AppArmor userlevel parser utility
%define versiondir 2.7.0~beta1
Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.bz2
Source0: apparmor-%{version}.tar.gz
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
Patch1: apparmor-scripts
Patch3: apparmor-utils-add-log-types
Patch4: apparmor-utils-filenames-in-slash
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
Patch5: apparmor-utils-string-split
Patch6: apparmor-profiles-cupsd-fix
Patch7: apparmor-profiles-sshd-fix
Patch8: apparmor-profiles-syslog-ng-fix
Patch9: apparmor-startproc.patch
# use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream.
Patch10: apparmor-2.5.1-unified-build
# requires Patch10
Patch11: apparmor-2.5.1-rpmlint-asprintf
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
Patch12: apparmor-2.5.1-edirectory-profile
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
Patch13: apparmor-2.5.1-ldapclient-profile
Patch14: genprof-whitespace-in-profile-fix
# obsolete, upstream implemented this in another way
Patch15: apparmor-remove-repo
Patch16: apparmor-2.5.1-ntpd-sys_nice
Patch17: apparmor-2.5.1-ssl-fix
Patch18: apparmor-profiles-usr.sbin.dnsmasq
Patch19: klog-needs-CAP_SYSLOG
Patch20: apparmor-profiles-dhclient
# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
Patch21: apparmor-utils-subdomain-compat
Patch22: apparmor-securityfs-systemd.patch
Patch23: apparmor-2.6.0-dhcpd
Patch24: apparmor-compat-routines
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %{distro} == "suse"
PreReq: %{insserv_prereq} aaa_base
PreReq: %{insserv_prereq}
PreReq: aaa_base
%endif
BuildRequires: gcc-c++
BuildRequires: pkg-config
BuildRequires: pcre-devel
%define apparmor_bin_prefix /lib/apparmor
BuildRequires: bison flex latex2html w3m
BuildRequires: bison
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: latex2html
BuildRequires: pcre-devel
BuildRequires: pkg-config
BuildRequires: texlive-latex
BuildRequires: w3m
# TODO: put also to Requires?
BuildRequires: perl(Locale::gettext)
BuildRequires: perl(RPC::XML)
BuildRequires: perl(Term::ReadKey)
BuildRequires: swig
%if %{with python}
BuildRequires: python-devel swig
BuildRequires: python-devel
BuildRequires: swig
%endif
%if %{with ruby}
BuildRequires: ruby-devel swig
BuildRequires: ruby-devel
BuildRequires: swig
%endif
%if %{with apache}
@ -105,11 +112,15 @@ BuildRequires: apache2-devel
%endif
%if %{with tomcat}
BuildRequires: ant java-devel >= 1.6.0 tomcat6
BuildRequires: ant
BuildRequires: java-devel >= 1.6.0
BuildRequires: tomcat6
%endif
%if %{with editor}
BuildRequires: gcc-c++ update-desktop-files wxGTK-devel
BuildRequires: gcc-c++
BuildRequires: update-desktop-files
BuildRequires: wxGTK-devel
%endif
%if %{with gnome}
@ -121,7 +132,10 @@ BuildRequires: pkgconfig(libpanelapplet-2.0)
%endif
%if %{with dbus}
BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config
BuildRequires: audit-devel
BuildRequires: libapparmor-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(dbus-1)
%endif
%package parser
@ -161,13 +175,6 @@ This package contains documentation for AppArmor.
This package is part of a suite of tools that used to be named
SubDomain.
Authors:
--------
lcambell@novell.com
Seth Arnold <seth.arnold@novell.com>
%if %{with apache}
%package -n apache2-mod_apparmor
@ -185,15 +192,12 @@ SubDomain.
The documentation is in the apparmor-admin_en package.
Authors:
--------
sbeattie@suse.de
%endif
%package -n libapparmor1
License: LGPLv2.1+
Summary: Utility library for AppArmor
Group: Development/Libraries/C and C++
License: LGPLv2.1+
%ifarch ppc64
Obsoletes: libapparmor-64bit < %{version}
Provides: libapparmor-64bit = ${version}
@ -208,34 +212,26 @@ This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%package -n libapparmor-devel
License: LGPLv2.1+
Requires: libapparmor1 = %{version}-%{release}
Group: Development/Libraries/C and C++
Provides: libapparmor:/usr/include/sys/apparmor.h
Summary: Development headers and libraries for libapparmor
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%package -n perl-apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Perl interface for libapparmor functions
Group: Development/Libraries/Perl
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Requires: perl(Term::ReadKey) perl(DBD::SQLite) perl(RPC::XML)
Group: Development/Libraries/Perl
Summary: Perl interface for libapparmor functions
Requires: perl(DBD::SQLite)
Requires: perl(RPC::XML)
Requires: perl(Term::ReadKey)
Provides: perl-libapparmor
Obsoletes: perl-libapparmor < 2.5
@ -243,20 +239,15 @@ Obsoletes: perl-libapparmor < 2.5
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utilities.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%if %{with python}
%package -n python-apparmor
License: GPLv2 ; LGPLv2.1+
Requires: libapparmor1 = %{version}
BuildRequires: python
Requires: python = %{python_version}
Group: Development/Libraries/Python
Summary: Python interface for libapparmor functions
Group: Development/Libraries/Python
BuildRequires: python
Requires: libapparmor1 = %{version}
Requires: python = %{python_version}
Provides: python-libapparmor
Obsoletes: python-libapparmor < 2.5
@ -264,20 +255,16 @@ Obsoletes: python-libapparmor < 2.5
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with ruby}
%package -n ruby-apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Ruby interface for libapparmor functions
Group: Development/Libraries/Ruby
Requires: libapparmor1 = %{version}
Requires: ruby = %{ruby_version}
Group: Development/Libraries/Ruby
Summary: Ruby interface for libapparmor functions
Provides: ruby-libapparmor
Obsoletes: ruby-libapparmor < 2.5
@ -285,19 +272,15 @@ Obsoletes: ruby-libapparmor < 2.5
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%endif
%package profiles
License: GPLv2 ; LGPLv2.1+
Summary: AppArmor profiles that are loaded into the apparmor kernel module
Group: Productivity/Security
Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version}
Requires: apparmor-parser(CAP_SYSLOG)
BuildArch: noarch
%description profiles
@ -309,18 +292,12 @@ vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
Authors:
--------
seth.arnold@suse.de
sbeattie@suse.de
jjohansen@suse.de
%package utils
License: GPLv2 ; LGPLv2.1+
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
Group: Productivity/Security
Requires: perl = %{perl_version}
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Requires: perl-apparmor = %{version}
BuildArch: noarch
@ -331,18 +308,14 @@ Besides it provides the aa-unconfined server information tool and the
aa-eventd event reporting system. It is part of a suite of tools that
used to be named SubDomain.
Authors:
--------
jmichael@suse.de
seth.arnold@suse.de
%if %{with tomcat}
%package -n tomcat_apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Tomcat 6 plugin for AppArmor change_hat
Group: System/Libraries
Requires: libapparmor1 = %{version} tomcat6
Requires: libapparmor1 = %{version}
Requires: tomcat6
%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
@ -351,9 +324,6 @@ containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or "hats", can be
created for individual URL processing or per servlet.
Authors:
--------
dreynolds@suse.de
%endif
%if %{with pam}
@ -363,8 +333,10 @@ License: GPLv2 ; LGPLv2.1+
Summary: PAM module for AppArmor change_hat
Group: Productivity/Security
BuildRequires: pam-devel
Requires: pam pam-config
PreReq: pam pam-config
PreReq: pam
PreReq: pam-config
Requires: pam
Requires: pam-config
%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
@ -372,11 +344,6 @@ that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.
Authors:
--------
jmichael@suse.de
sbeattie@suse.de
%endif
%if %{with dbus}
@ -390,10 +357,6 @@ Group: System/Monitoring
An audit dispatcher for sending AppArmor events over the DBUS system
bus.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with editor}
@ -406,10 +369,6 @@ Group: Productivity/Editors/Other
%description profile-editor
A syntax highlighting editor for AppArmor profiles.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with gnome}
@ -423,11 +382,6 @@ Group: System/GUI/GNOME
This taskbar applet receives AppArmor events over DBUS, and notifies
the user when AppArmor prevents an application from functioning.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%description
@ -444,37 +398,25 @@ SubDomain.
%endif
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch3 -p1
%patch4 -p1
%setup -q -n %{name}-%{versiondir}
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
#%patch10 -p1 # disabled, see above
#%patch11 -p1 # disabled, see above
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
#%patch15 -p1 # obsolete, see above
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%build
export SUSE_ASNEEDED=0
autoreconf -fiv
# re-define _libdir to /lib or /lib64
%define _libdir /%{_lib}
%configure --disable-static --with-pic \
--with-perl \
# libapparmor:
(
cd ./libraries/libapparmor
sh ./autogen.sh
%configure --with-perl \
%if %{with python}
--with-python \
%else
@ -485,38 +427,49 @@ autoreconf -fiv
%else
--without-ruby \
%endif
%if %{with tomcat}
--with-tomcat \
%else
--without-tomcat \
%endif
%if %{with pam}
--with-pam \
%else
--without-pam \
%endif
make
#make check
)
# Utilities:
make -C utils
# make -C utils check
# parser:
make -C parser
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
make -C parser techdoc.txt
# make -C parser check
# Apache mod_apparmor:
%if %{with apache}
--with-apache \
%else
--without-apache \
%endif
%if %{with gnome}
--with-gnome \
%else
--without-gnome \
%endif
%if %{with dbus}
--with-dbus \
%else
--without-dbus \
%endif
%if %{with editor}
--with-profileeditor \
%else
--without-profileeditor \
make -C changehat/mod_apparmor
%endif
%{__make} %{?jobs:-j%jobs}
# PAM AppArmor:
%if %{with pam}
make -C changehat/pam_apparmor
%endif
# Profiles:
make -C profiles
# make -C profiles check
##configure --disable-static --with-pic \
#--with-perl \
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
%if %{with gnome}
#--with-gnome \
%endif
%if %{with dbus}
#--with-dbus \
%endif
%if %{with editor}
#--with-profileeditor \
%endif
%if %{with ruby}
#rm libraries/libapparmor/swig/ruby/Makefile.ruby
@ -524,23 +477,37 @@ autoreconf -fiv
%endif
%install
%{make_install}
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
# libapparmor
%makeinstall -C libraries/libapparmor
# create symlink for old change_hat(2) manpage
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d
install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor
install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd
ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
# utilities
%makeinstall -C utils VENDOR_PERL=%{perl_vendorlib}
mkdir -p %{buildroot}/var/log/apparmor
%makeinstall -C parser
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
%endif
%if %{with pam}
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
%endif
%makeinstall -C profiles
%if %{with tomcat}
mkdir -p %{buildroot}/%{CATALINA_HOME}
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
%endif
find %{buildroot} -name .packlist -exec rm -f {} \;
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
# Re-create the links to the old names
for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
d=$(dirname $file)
f=$(basename $file)
if [ "${f#aa-}" != "$f" ]; then
@ -548,9 +515,9 @@ for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
fi
done
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8}
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8}
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8
%if %{with editor}
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
@ -564,11 +531,17 @@ for pkg in apparmor-utils apparmor-parser; do
%find_lang $pkg
done
# Clean up profiles that are provided by other packages now
rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la
%clean
rm -rf $RPM_BUILD_ROOT
echo -------------------------------------------------------------------
find -ls
echo -------------------------------------------------------------------
head -n1000 *.lang
echo -------------------------------------------------------------------
echo -------------------------------------------------------------------
find %{buildroot} -ls
echo -------------------------------------------------------------------
%files docs
%defattr(-,root,root)
@ -612,10 +585,11 @@ fi
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.la
%{_libdir}/libimmunix.la
%{_libdir}/libapparmor.so*
%{_libdir}/libimmunix.so*
# not sure about the correct package for *.a files...
%{_libdir}/libapparmor.a
%{_libdir}/libimmunix.a
%files -n libapparmor-devel
%defattr(-,root,root)
@ -623,22 +597,22 @@ fi
%{_libdir}/libimmunix.so
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/*
# hrm, still need to enumerate each directory in these paths in files :(
%define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
%define profiles_dir %{_sysconfdir}/apparmor.d/
# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
# %define profiles_dir %{_sysconfdir}/apparmor.d/
%files profiles
%defattr(-,root,root)
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
%attr(644, root, root) %{extras_dir}/*
%dir %{_sysconfdir}/apparmor.d/
%defattr(644,root,root,755)
%config(noreplace) %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles
%dir %{_sysconfdir}/apparmor/profiles/extras
%config %{_sysconfdir}/apparmor/profiles/extras/
%files utils
%defattr(-,root,root)
@ -657,6 +631,7 @@ fi
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
%doc %{_mandir}/man8/complain.8.gz
%doc %{_mandir}/man8/disable.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
@ -669,8 +644,7 @@ fi
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorlib}/Immunix
%dir %{perl_vendorarch}/auto/LibAppArmor
%{perl_vendorarch}/auto/LibAppArmor/*
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm
%if %{with python}
@ -693,7 +667,6 @@ fi
%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
%attr(555,root,root) %{_libdir}/security/pam_apparmor.la
%endif
%if %{with tomcat}
@ -729,9 +702,9 @@ fi
%{_bindir}/profileeditor
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
%if 0
%{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb
%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb
%endif
%dir %{_prefix}/share/doc/profileeditor
%dir %{_datadir}/doc/profileeditor
%endif
%if %{with gnome}

View File

@ -1,39 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: setprofileflags() drops leading whitespace
References: bnc#480795
setprofileflags() drops leading whitespace for subprofiles. writeheader()
properly indents subprofiles 2 spaces per nesting level but when
genprof sets the profile to enforce mode at completion, the whitespace
is removed.
This patch adds the whitespace globbing to the regexp and uses it to
prefix the sub-profile with the correct spacing.
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
if (open(PROFILE, "$filename")) {
if (open(NEWPROFILE, ">$filename.new")) {
while (<PROFILE>) {
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
- my ($binary, $flags) = ($1, $5);
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
+ my ($space, $binary, $flags) = ($1, $2, $6);
if ($newflags) {
- $_ = "$binary flags=($newflags) {\n";
+ $_ = "$space$binary flags=($newflags) {\n";
} else {
- $_ = "$binary {\n";
+ $_ = "$space$binary {\n";
}
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
my ($hat, $flags) = ($1, $2);

View File

@ -1,35 +0,0 @@
---
parser/parser_misc.c | 4 ++++
profiles/apparmor.d/sbin.klogd | 1 +
2 files changed, 5 insertions(+)
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -129,6 +129,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = {
/* capabilities */
#include "cap_names.h"
+#ifndef CAP_SYSLOG
+ {"syslog", 34},
+#endif
/* terminate */
{NULL, 0}
};
@@ -866,6 +869,7 @@ static const char *capnames[] = {
"audit_control",
"setfcap",
"mac_override"
+ "syslog",
};
const char *capability_to_name(unsigned int cap)
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@@ -15,6 +15,7 @@
#include <abstractions/base>
capability sys_admin,
+ capability syslog,
network inet stream,