Accepting request 266140 from home:cbosdonnat:branches:security:apparmor

- Fix dnsmasq profile to allow executing bash to run the --dhcp-script argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt leasehealper script to run even on x86_64. dnsmasq-profile-fixes.patch. boo#911001 OBS-URL: https://build.opensuse.org/request/show/266140 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=114
2014-12-22 12:55:06 +00:00 · 2014-12-22 12:55:06 +00:00 · 7a29d85d80
commit 7a29d85d80
parent 2520f26685
3 changed files with 34 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Dec 22 10:26:15 UTC 2014 - cbosdonnat@suse.com
+
+- Fix dnsmasq profile to allow executing bash to run the --dhcp-script
+  argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
+  leasehealper script to run even on x86_64.
+  dnsmasq-profile-fixes.patch. boo#911001
+
 -------------------------------------------------------------------
 Sun Dec 21 16:22:27 UTC 2014 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -95,6 +95,9 @@ Patch6:         apparmor-abstractions-no-multiline.diff
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

+# boo#911001 - Allow executing --dhcp-client script
+Patch8:         dnsmasq-profile-fixes.patch
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -434,6 +437,7 @@ SubDomain.

 %patch6
 %patch7 -p1
+%patch8 -p1
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

--- a/dnsmasq-profile-fixes.patch
+++ b/dnsmasq-profile-fixes.patch
@ -0,0 +1,22 @@
+Index: apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
+===================================================================
+--- apparmor-2.9.0.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -44,6 +44,8 @@
+ 
+   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ 
+  /bin/bash ix, # Required to execute --dhcp-script argument
+
+   # access to iface mtu needed for Router Advertisement messages in IPv6
+   # Neighbor Discovery protocol (RFC 2461)
+   @{PROC}/sys/net/ipv6/conf/*/mtu r,
+@@ -63,7 +65,7 @@
+   /{,var/}run/libvirt/network/*.pid rw,
+ 
+   # libvirt lease helper
+-  /usr/lib/libvirt/libvirt_leaseshelper ix,
+  /usr/{lib,lib64}/libvirt/libvirt_leaseshelper ix,
+   /{,var/}run/leaseshelper.pid rwk,
+ 
+   # NetworkManager integration