From 76a45f653d5233befb1a5b996a2e6b31ac98433be56556702ef6b4afa8e19b00 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 28 Nov 2011 11:52:47 +0000 Subject: [PATCH] Accepting request 93892 from security:apparmor:factory - package subdomain.conf only in -parser, not in -utils package - package libapparmor.so and libimmunix.so only in libapparmor-devel, not in libapparmor1 - make Provides for perl-libapparmor versioned to avoid self-Obsoletes - move libapparmor.a and libimmunix.a from libapparmor1 to libapparmor-devel package - update to AppArmor 2.7.0 rc2 Most of the changes since rc1 were already included as patches. Additional changes: - fix logprof/genprof to recognize "mknod" in audit.log - fix libapparmor python bindings to compile with python 3 - fix wrong status message in initscript if apparmor-utils are not installed - parser/Makefile: fix some warnings, always respect CXX and LDFLAGS - fix some warnings in utils/Makefile - remove 4 upstreamed patches - remove mkdir /etc/apparmor.d/disable - that's done by upstream Makefile now - update line numbers in 2 patches OBS-URL: https://build.opensuse.org/request/show/93892 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=30 --- apparmor-2.5.1-edirectory-profile | 2 +- apparmor-2.5.1-ldapclient-profile | 66 ------------------- ...7.0rc1-aa-notify-better-error-message.diff | 21 ------ apparmor-2.7.rc1.tar.gz | 3 - apparmor-2.7.rc2.tar.gz | 3 + apparmor-abstractions-winbind-64bit.diff | 21 ------ ...-samba-include-permissions-for-shares.diff | 2 +- apparmor-samba-vfs-objects.diff | 18 ----- apparmor.changes | 25 +++++++ apparmor.spec | 32 ++------- 10 files changed, 37 insertions(+), 156 deletions(-) delete mode 100644 apparmor-2.5.1-ldapclient-profile delete mode 100644 apparmor-2.7.0rc1-aa-notify-better-error-message.diff delete mode 100644 apparmor-2.7.rc1.tar.gz create mode 100644 apparmor-2.7.rc2.tar.gz delete mode 100644 apparmor-abstractions-winbind-64bit.diff delete mode 100644 apparmor-samba-vfs-objects.diff diff --git a/apparmor-2.5.1-edirectory-profile b/apparmor-2.5.1-edirectory-profile index 6f10ecf..787c434 100644 --- a/apparmor-2.5.1-edirectory-profile +++ b/apparmor-2.5.1-edirectory-profile @@ -17,7 +17,7 @@ Signed-off-by: Jeff Mahoney --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice -@@ -72,6 +72,9 @@ +@@ -70,6 +70,9 @@ # kerberos #include diff --git a/apparmor-2.5.1-ldapclient-profile b/apparmor-2.5.1-ldapclient-profile deleted file mode 100644 index 6d9e614..0000000 --- a/apparmor-2.5.1-ldapclient-profile +++ /dev/null @@ -1,66 +0,0 @@ -Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de - -- Splitted ldap related things from nameservice into separate - profile and added some missing paths (bnc#662761) - - ---- - profiles/apparmor.d/abstractions/ldapclient | 21 +++++++++++++++++++++ - profiles/apparmor.d/abstractions/nameservice | 8 +++----- - 2 files changed, 24 insertions(+), 5 deletions(-) - ---- /dev/null -+++ b/profiles/apparmor.d/abstractions/ldapclient -@@ -0,0 +1,21 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2011 Novell/SUSE -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+ -+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap) -+ /etc/ldap.conf r, -+ /etc/ldap.secret r, -+ /etc/openldap/* r, -+ /etc/openldap/cacerts/* r, -+ -+ # SASL plugins and config -+ /etc/sasl2/* r, -+ /usr/lib{,32,64}/sasl2/* r, -+ -+ #include ---- a/profiles/apparmor.d/abstractions/nameservice -+++ b/profiles/apparmor.d/abstractions/nameservice -@@ -16,8 +16,6 @@ - /etc/group r, - /etc/host.conf r, - /etc/hosts r, -- /etc/ldap.conf r, -- /etc/ldap.secret r, - /etc/nsswitch.conf r, - /etc/gai.conf r, - /etc/passwd r, -@@ -32,9 +30,6 @@ - - /etc/samba/lmhosts r, - /etc/services r, -- # all openldap config -- /etc/openldap/* r, -- /etc/ldap/** r, - # db backend - /var/lib/misc/*.db r, - # The Name Service Cache Daemon can cache lookups, sometimes leading -@@ -60,6 +55,9 @@ - # nis - #include - -+ # ldap -+ #include -+ - # winbind - #include - diff --git a/apparmor-2.7.0rc1-aa-notify-better-error-message.diff b/apparmor-2.7.0rc1-aa-notify-better-error-message.diff deleted file mode 100644 index 2a13c24..0000000 --- a/apparmor-2.7.0rc1-aa-notify-better-error-message.diff +++ /dev/null @@ -1,21 +0,0 @@ -Add a more helpful error message to aa-notify -p if the user is not in -the configured group. - -Pending for review upstream. - - -Signed-off-by: Christian Boltz - -=== modified file 'utils/aa-notify' ---- utils/aa-notify 2011-10-12 11:08:25 +0000 -+++ utils/aa-notify 2011-10-16 13:53:23 +0000 -@@ -151,7 +151,7 @@ - if (defined($prefs{use_group})) { - my ($name, $passwd, $gid, $members) = getgrnam($prefs{use_group}); - if (not defined($members) or not defined($login) or (not grep { $_ eq $login } split(/ /, $members) and $login ne "root")) { -- _error("'$login' must be in '$prefs{use_group}' group. Aborting"); -+ _error("'$login' must be in '$prefs{use_group}' group. Aborting.\nAsk your admin to add you to this group or to change the group in\n$conf if you want to use aa-notify."); - } - } - } - diff --git a/apparmor-2.7.rc1.tar.gz b/apparmor-2.7.rc1.tar.gz deleted file mode 100644 index 5a82c29..0000000 --- a/apparmor-2.7.rc1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e4e93cbca008cbec2da080931a5e8d7dc170c993fd5f070fdc04c4062a687ce3 -size 1427050 diff --git a/apparmor-2.7.rc2.tar.gz b/apparmor-2.7.rc2.tar.gz new file mode 100644 index 0000000..a97a59d --- /dev/null +++ b/apparmor-2.7.rc2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c360763503c6e68b46ae0a563efad878c7ab4c28a0f8084035aa3f04bc914437 +size 1427203 diff --git a/apparmor-abstractions-winbind-64bit.diff b/apparmor-abstractions-winbind-64bit.diff deleted file mode 100644 index 6b4f62d..0000000 --- a/apparmor-abstractions-winbind-64bit.diff +++ /dev/null @@ -1,21 +0,0 @@ -Make abstractions/winbind working on 64bit systems - valid.dat etc. are in -/usr/lib64/samba/ there - -Signed-Off-by: Christian Boltz -Acked-By: Steve Beattie - -=== modified file 'profiles/apparmor.d/abstractions/winbind' ---- profiles/apparmor.d/abstractions/winbind 2010-12-20 20:29:10 +0000 -+++ profiles/apparmor.d/abstractions/winbind 2011-11-01 15:56:49 +0000 -@@ -13,7 +13,7 @@ - /tmp/.winbindd/pipe rw, - /var/{lib,run}/samba/winbindd_privileged/pipe rw, - /etc/samba/smb.conf r, -- /usr/lib/samba/valid.dat r, -- /usr/lib/samba/upcase.dat r, -- /usr/lib/samba/lowcase.dat r, -+ /usr/lib*/samba/valid.dat r, -+ /usr/lib*/samba/upcase.dat r, -+ /usr/lib*/samba/lowcase.dat r, - - diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff index 7b00fa8..d6dcedb 100644 --- a/apparmor-samba-include-permissions-for-shares.diff +++ b/apparmor-samba-include-permissions-for-shares.diff @@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -40,6 +40,10 @@ +@@ -41,6 +41,10 @@ @{HOMEDIRS}/** lrwk, diff --git a/apparmor-samba-vfs-objects.diff b/apparmor-samba-vfs-objects.diff deleted file mode 100644 index c41ee74..0000000 --- a/apparmor-samba-vfs-objects.diff +++ /dev/null @@ -1,18 +0,0 @@ -Allow loading the libraries used for Samba "vfs objects = ..." - -References: https://bugzilla.novell.com/show_bug.cgi?id=725967 - -Signed-off-by: Christian Boltz - - -=== modified file 'profiles/apparmor.d/usr.sbin.smbd' ---- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 -+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-26 20:43:13 +0000 -@@ -24,6 +24,7 @@ - /etc/printcap r, - /proc/*/mounts r, - /proc/sys/kernel/core_pattern r, -+ /usr/lib*/samba/vfs/*.so mr, - /usr/sbin/smbd mr, - /etc/samba/* rwk, - /var/cache/samba/** rwk, diff --git a/apparmor.changes b/apparmor.changes index 3bda4cc..2c131d0 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Sat Nov 26 21:52:31 UTC 2011 - opensuse@cboltz.de + +- package subdomain.conf only in -parser, not in -utils package +- package libapparmor.so and libimmunix.so only in libapparmor-devel, + not in libapparmor1 +- make Provides for perl-libapparmor versioned to avoid self-Obsoletes +- move libapparmor.a and libimmunix.a from libapparmor1 to + libapparmor-devel package + +------------------------------------------------------------------- +Thu Nov 10 20:16:24 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 rc2 + Most of the changes since rc1 were already included as patches. + Additional changes: + - fix logprof/genprof to recognize "mknod" in audit.log + - fix libapparmor python bindings to compile with python 3 + - fix wrong status message in initscript if apparmor-utils are not installed + - parser/Makefile: fix some warnings, always respect CXX and LDFLAGS + - fix some warnings in utils/Makefile +- remove 4 upstreamed patches +- remove mkdir /etc/apparmor.d/disable - that's done by upstream Makefile now +- update line numbers in 2 patches + ------------------------------------------------------------------- Tue Nov 1 17:39:29 UTC 2011 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 8417339..fe28656 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -43,9 +43,9 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.7.rc1 +Version: 2.7.rc2 Release: 1 -%define versiondir 2.7.0~rc1 +%define versiondir 2.7.0~rc2 Summary: AppArmor userlevel parser utility Group: Productivity/Networking/Security Source0: apparmor-%{version}.tar.gz @@ -53,21 +53,12 @@ Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -# more helpful error message for "aa-notify -p" if the user is not in the configured group. Commited upstream after 2.7rc1. -Patch: apparmor-2.7.0rc1-aa-notify-better-error-message.diff - # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff # include autogenerated profile sniplet for samba shares (bnc#688040) Patch2: apparmor-samba-include-permissions-for-shares.diff -# allow samba "vfs objects" (bnc#725967). Commited upstream after 2.7rc1. -Patch3: apparmor-samba-vfs-objects.diff - -# make abstractions/winbind working on 64bit systems. Commited upstream after 2.7rc1. -Patch4: apparmor-abstractions-winbind-64bit.diff - # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch5: apparmor-utils-string-split @@ -78,8 +69,6 @@ Patch11: apparmor-2.5.1-rpmlint-asprintf # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions Patch12: apparmor-2.5.1-edirectory-profile -# split ldap related things from abstractions/nameservice to abstractions/ldapclient and add sasl support. Commited upstream after 2.7rc1. -Patch13: apparmor-2.5.1-ldapclient-profile # obsolete, upstream implemented this in another way Patch15: apparmor-remove-repo @@ -246,7 +235,7 @@ Requires: perl(RPC::XML) Requires: perl(RPC::XML) Requires: perl(Term::ReadKey) Requires: perl(Term::ReadKey) -Provides: perl-libapparmor +Provides: perl-libapparmor = %{version} Obsoletes: perl-libapparmor < 2.5 %description -n perl-apparmor @@ -412,16 +401,12 @@ SubDomain. %prep %setup -q -n %{name}-%{versiondir} -%patch -p0 %patch1 -p1 %patch2 -p0 -%patch3 -p0 -%patch4 -p0 %patch5 -p1 #%patch10 -p1 # disabled, see above #%patch11 -p1 # disabled, see above %patch12 -p1 -%patch13 -p1 #%patch15 -p1 # obsolete, see above %patch21 -p1 @@ -505,7 +490,6 @@ make -C profiles mkdir -p %{buildroot}%{_localstatedir}/log/apparmor %makeinstall -C profiles -mkdir %{buildroot}%{_sysconfdir}/apparmor.d/disable %makeinstall -C parser # default cache dir is /etc/apparmor.d/cache - not the best location. @@ -606,14 +590,13 @@ fi %files -n libapparmor1 %defattr(-,root,root) -%{_libdir}/libapparmor.so* -%{_libdir}/libimmunix.so* -# not sure about the correct package for *.a files... -%{_libdir}/libapparmor.a -%{_libdir}/libimmunix.a +%{_libdir}/libapparmor.so.* +%{_libdir}/libimmunix.so.* %files -n libapparmor-devel %defattr(-,root,root) +%{_libdir}/libapparmor.a +%{_libdir}/libimmunix.a %{_libdir}/libapparmor.so %{_libdir}/libimmunix.so %doc %{_mandir}/man2/aa_change_hat.2.gz @@ -642,7 +625,6 @@ fi %config(noreplace) %{_sysconfdir}/apparmor/logprof.conf %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db -%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %{_sbindir}/* %dir %{_localstatedir}/log/apparmor %doc %{_mandir}/man2/aa_change_profile.2.gz